[
https://issues.apache.org/jira/browse/METRON-1857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16675701#comment-16675701
]
ASF GitHub Bot commented on METRON-1857:
----------------------------------------
Github user merrimanr commented on the issue:
https://github.com/apache/metron/pull/1253
I'm not sure if you know the answer to this @nickwallen because it predates
this PR, but is the intention to convert all `metron_alert.*` fields to keyword
types? I can see the motivation behind doing this because we may not be aware
of all field types in the various sensors that could be added to a metaalert.
Maybe @justinleet knows?
If my assumption is true then we need another small change to make that
happen. Currently the `match_mapping_type` attribute is set to `string` which
will only convert string types. If we want to convert all fields, it needs to
be:
```
"dynamic_templates": [
{
"alert_template": {
"path_match": "metron_alert.*",
"match_mapping_type": "*",
"mapping": {
"type": "keyword"
}
}
```
Notice `string` has been changed to `*`.
> Fix Metaalert Nested Alert Field Name in Index Template
> -------------------------------------------------------
>
> Key: METRON-1857
> URL: https://issues.apache.org/jira/browse/METRON-1857
> Project: Metron
> Issue Type: Bug
> Reporter: Nick Allen
> Assignee: Nick Allen
> Priority: Major
>
> The Metaalert nested alert field was renamed in METRON-1601. One portion of
> the template rename was missed.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
