You're doing it correctly. Once you define a variable as a particular type in an index, it will use that one type for that entire index. Your change to the type won't take affect until the index rolls. I got burned by this myself, was setting one up with a fellow here, we realized it needed to be numeric to do proper less-than/greater-than testing, and couldn't change it and finish the project until the next day, after the index had rolled over. The next morning I was able to complete it.
On Thu, Aug 25, 2016 at 10:38 PM, Gray Log <[email protected]> wrote: > Hi, > > (Using current 2.0.3 OVA) > > I created an extractor on the default syslog-udp input and despite setting > the conversion to Numeric, I neglected to click the Add button. Thus the > field was created as type string. > > Thus it cannot be graphed because it is a string. Quick values are not > sufficient, I need the graph (and statistical calcs also). > > Following other guides I have removed all instances of the offending > field, then I deleted the extractor completely, then I re-created it. > > However, the new values are *still* strings even though I deleted those > fields and the extractor previously. > > "tcp_seq_num" : { > "type" : "string", > "index" : "not_analyzed" > }, > > So, how do you change the field type of an already created field, right > now? ie. not after the indexes are rotated or at any other time, but > immediately, right now. > > https://github.com/Graylog2/graylog2-web-interface/issues/ > 1592#issuecomment-137448785 > "One solution for the problem is to wait: once your ES indices are > rotated, the removed fields will go away. If that's not good enough for > your case, you can manually delete them in Elasticsearch." > > > > Given that I have deleted them from elasticsearch, then why do they remain > as strings afterwards? What is the correct process? > > For reference, this is what I did: > 1) Created the extractor without clicking the Add button next to the > conversion drop down. > 2) Logs are received and the new field is created and appears on left hand > menu. > > All looks great at this point until you try to graph the result - only > then do you discover your mistake. And now all those collected logs are > useless it would appear. > > 3) Delete the extractor to stop it creating more bogus data > 4) Hunt down and delete every field: (see here for details: > https://www.elastic.co/guide/en/elasticsearch/reference/ > current/docs-update.html) > > $ curl > 'localhost:9200/graylog_0/_search?q=_exists_:tcp_seq_num&pretty&fields=id' > | grep _id | cut -d\" -f4 | while read id;do \ > echo "curl -XPOST \"localhost:9200/graylog_0/message/${id}/_update\" -d > '{ \"script\" : \"ctx._source.remove(\\\"pf_tcp_seq_num\\\")\" }'"; \ > done > delme > $ sh delme > > Note Well: I do it in 2 stages just for convenience, create the script > "delme" containing the commands then execute them "sh delme". > > 5) Run the search again to make sure they were deleted: curl > 'localhost:9200/graylog_0/_search?q=_exists_:tcp_seq_num&pretty&fields=id' > => No results > 6) Recreate the extractor with correct numeric conversion applied. > 7) Wait for logs to arrive. > 8) Try to graph the field -> error, cannot graph strings. WTF? > 9) Re-examine mappings - curl -X GET 'http://localhost:9200/ > graylog_0/_mappings?pretty' > > It is identical to the way it was before: > > "tcp_seq_num" : { > "type" : "string", > "index" : "not_analyzed" > }, > > Surely, there must be a way that I'm missing. > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/graylog2/4ed72f6f-987d-4254-b913-802c46d43bf6%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/4ed72f6f-987d-4254-b913-802c46d43bf6%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- No matter what we think of Linux versus FreeBSD, etc., the one thing I really like about Linux is that it has Microsoft worried. Anything that kicks a monopoly in the pants has got to be good for something. - Chris Johnson -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAL5rfGUULCpDQYJezuo1-VRUxh4h%2B%3DU2nf5hLV4p7%2B8dJJvS8Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
