Hi, you can't change the types of a field in an existing index. The schema has to be defined up-front.
I'm pretty sure you want to read http://docs.graylog.org/en/2.0/pages/configuration/elasticsearch.html#custom-index-mappings . Cheers, Jochen On Friday, 26 August 2016 05:38:44 UTC+2, Gray Log wrote: > > Hi, > > (Using current 2.0.3 OVA) > > I created an extractor on the default syslog-udp input and despite setting > the conversion to Numeric, I neglected to click the Add button. Thus the > field was created as type string. > > Thus it cannot be graphed because it is a string. Quick values are not > sufficient, I need the graph (and statistical calcs also). > > Following other guides I have removed all instances of the offending > field, then I deleted the extractor completely, then I re-created it. > > However, the new values are *still* strings even though I deleted those > fields and the extractor previously. > > "tcp_seq_num" : { > "type" : "string", > "index" : "not_analyzed" > }, > > So, how do you change the field type of an already created field, right > now? ie. not after the indexes are rotated or at any other time, but > immediately, right now. > > > https://github.com/Graylog2/graylog2-web-interface/issues/1592#issuecomment-137448785 > "One solution for the problem is to wait: once your ES indices are > rotated, the removed fields will go away. If that's not good enough for > your case, you can manually delete them in Elasticsearch." > > > > Given that I have deleted them from elasticsearch, then why do they remain > as strings afterwards? What is the correct process? > > For reference, this is what I did: > 1) Created the extractor without clicking the Add button next to the > conversion drop down. > 2) Logs are received and the new field is created and appears on left hand > menu. > > All looks great at this point until you try to graph the result - only > then do you discover your mistake. And now all those collected logs are > useless it would appear. > > 3) Delete the extractor to stop it creating more bogus data > 4) Hunt down and delete every field: (see here for details: > https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-update.html > ) > > $ curl > 'localhost:9200/graylog_0/_search?q=_exists_:tcp_seq_num&pretty&fields=id' > | grep _id | cut -d\" -f4 | while read id;do \ > echo "curl -XPOST \"localhost:9200/graylog_0/message/${id}/_update\" -d '{ > \"script\" : \"ctx._source.remove(\\\"pf_tcp_seq_num\\\")\" }'"; \ > done > delme > $ sh delme > > Note Well: I do it in 2 stages just for convenience, create the script > "delme" containing the commands then execute them "sh delme". > > 5) Run the search again to make sure they were deleted: curl > 'localhost:9200/graylog_0/_search?q=_exists_:tcp_seq_num&pretty&fields=id' > => No results > 6) Recreate the extractor with correct numeric conversion applied. > 7) Wait for logs to arrive. > 8) Try to graph the field -> error, cannot graph strings. WTF? > 9) Re-examine mappings - curl -X GET ' > http://localhost:9200/graylog_0/_mappings?pretty' > > It is identical to the way it was before: > > "tcp_seq_num" : { > "type" : "string", > "index" : "not_analyzed" > }, > > Surely, there must be a way that I'm missing. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/543de41d-4a7b-454e-94c7-6200c5bfd262%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
