I am trying to get properties that are sent to logstash via our Winlogbeat data shipper to show up as an integer type if the value is indeed an integer.
Here is an example of a snippet of JSON that was posted to ES:
"event_data": {
"ShutdownPreShutdownNotificationsTime": "10191",
"ShutdownUserPolicyTime": "98",
"ShutdownKernelTime": "2353",
"ShutdownRootCauseGradualDegradationBits": "0",
"ShutdownTimeChange": "0",
"ShutdownTime": "46062",
"ShutdownRootCauseStepDegradationBits": "0",
"ShutdownEndTime": "2019-05-22T19:37:02.119561900Z",
"ShutdownStartTime": "2019-05-22T19:36:16.057145700Z",
"ShutdownUserProfilesTime": "118",
"ShutdownTsVersion": "1",
"ShutdownRootCauseStepImprovementBits": "0",
"ShutdownServicesTime": "3861",
"ShutdownSystemSessionsTime": "14266",
"ShutdownRootCauseGradualImprovementBits": "0",
"ShutdownIsDegradation": "false",
"ShutdownUserSessionTime": "29442"
},
It seems that Kibana has determined that this field should be a string:
I know I could essentially do something like this in my logstash config:
if [event_data][ShutdownTime] {
mutate {
convert => {"[event_data][ShutdownTime]" => "integer"}
}
}
But I don't want to have to re-index if I find another field that was stuffed into ES was stuffed as a string and not a integer.
What would be the easiest way to get the data types setup correctly without having to go through each desirable field and adding a mutate to get it to be indexed as a number rather than a string?
Thanks