We have fields that we want to store as numbers to do some aggregations. Dynamic mapping mapped those fields as keywords.
We added to grok extractor type hint of “int” to those fields and now those fields are stored as “long”, but still cannot aggregate probably because field (for example) nusersessions = compound(long,string). Is this expected behavior? Where is old cache mapping information stored in graylog or something?
before:
“nusersessions”: {
“type”: “keyword”
},
after:
“nusersessions”: {
“type”: “long”
}
Mappings are stored in elasticsearch.
Should you have some old indices with the mapping keyword and the new with long the aggregation would only work when your search include only the indices where the mapping is long.
Data is only manipulated from the point in time you added this manipulation - not done to any data that is already in elasticsearch.
1 Like
Thank You for answer!
I have a lot of old indices, but search is performed only in a time range were all indices (it is just latest index for test purposes) are with new mappings. I can see it while using standard search functionality in Search results section ( found x messages in x ms, searched in x indices) while pressing on indices number search had been performed on. Extended search functionality does not have possibility to see in which indices search was performed on, but search range and search attributes are copied from standard search so it “should” be the same. Graylog is of version 3.1.
So you are using the extented search … that wasn’t clear from your previous written postings.
Both searches use the same meta data range - so it should be the same data-range.
It looks that in standard search when using statistics widget it is treating field type correctly as number, because Sum, Mean, Min etc are present (still some fields are not stored in ES as long tough described in grok extractor with type hint the same way as those that works). In extended search fields are still treated as compound and thus unable to aggregate.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.