Hi,
(Using current 2.0.3 OVA)
I created an extractor on the default syslog-udp input and despite setting
the conversion to Numeric, I neglected to click the Add button. Thus the
field was created as type string.
Thus it cannot be graphed because it is a string. Quick values are not
sufficient, I need the graph (and statistical calcs also).
Following other guides I have removed all instances of the offending field,
then I deleted the extractor completely, then I re-created it.
However, the new values are *still* strings even though I deleted those
fields and the extractor previously.
"tcp_seq_num" : {
"type" : "string",
"index" : "not_analyzed"
},
So, how do you change the field type of an already created field, right
now? ie. not after the indexes are rotated or at any other time, but
immediately, right now.
https://github.com/Graylog2/graylog2-web-interface/issues/1592#issuecomment-137448785
"One solution for the problem is to wait: once your ES indices are rotated,
the removed fields will go away. If that's not good enough for your case,
you can manually delete them in Elasticsearch."
Given that I have deleted them from elasticsearch, then why do they remain
as strings afterwards? What is the correct process?
For reference, this is what I did:
1) Created the extractor without clicking the Add button next to the
conversion drop down.
2) Logs are received and the new field is created and appears on left hand
menu.
All looks great at this point until you try to graph the result - only then
do you discover your mistake. And now all those collected logs are useless
it would appear.
3) Delete the extractor to stop it creating more bogus data
4) Hunt down and delete every field: (see here for details:
https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-update.html)
$ curl
'localhost:9200/graylog_0/_search?q=_exists_:tcp_seq_num&pretty&fields=id'
| grep _id | cut -d\" -f4 | while read id;do \
echo "curl -XPOST \"localhost:9200/graylog_0/message/${id}/_update\" -d '{
\"script\" : \"ctx._source.remove(\\\"pf_tcp_seq_num\\\")\" }'"; \
done > delme
$ sh delme
Note Well: I do it in 2 stages just for convenience, create the script
"delme" containing the commands then execute them "sh delme".
5) Run the search again to make sure they were deleted: curl
'localhost:9200/graylog_0/_search?q=_exists_:tcp_seq_num&pretty&fields=id'
=> No results
6) Recreate the extractor with correct numeric conversion applied.
7) Wait for logs to arrive.
8) Try to graph the field -> error, cannot graph strings. WTF?
9) Re-examine mappings - curl -X GET
'http://localhost:9200/graylog_0/_mappings?pretty'
It is identical to the way it was before:
"tcp_seq_num" : {
"type" : "string",
"index" : "not_analyzed"
},
Surely, there must be a way that I'm missing.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/4ed72f6f-987d-4254-b913-802c46d43bf6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
