Expected numeric type on field [Flag], but got [keyword]

Hi there,

I found there are a lots of error message shown in the elasticsearch log.
It says “expected numeric type on field [Flag], but got [keyword]”, but the graylog-internal template for gl2_* mapping type is keyword.
Should this be overwritten by using custom index mappings?
Graylog version: 2.3.2
Elasticsearch version: 5.6.5
Thank you.

[2017-12-18T02:27:02,496][DEBUG][o.e.a.s.TransportSearchAction] [sjdc-itlogweb-r04] [graylog_14664][1], node[Xtfaeyp5QA6NaxZfthhTKg], [R], s[STARTED], a[id=qIC_mRT0SOmnCacjwhmMWg]: Failed to execute [SearchRequest{searchType=QUERY_THEN_FETCH, indices=[graylog_*], indicesOptions=IndicesOptions[id=38, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true], types=[message], routing=‘null’, preference=‘null’, requestCache=null, scroll=null, maxConcurrentShardRequests=50, batchedReduceSize=512, preFilterShardSize=128, source={
“from” : 0,
“query” : {
“bool” : {
“must” : [
{
“match_all” : {
“boost” : 1.0
}
}
],
“filter” : [
{
“bool” : {
“must” : [
{
“range” : {
“timestamp” : {
“from” : “2017-12-18 07:21:56.175”,
“to” : “2017-12-18 07:26:56.175”,
“include_lower” : true,
“include_upper” : true,
“boost” : 1.0
}
}
},
{
“query_string” : {
“query” : “streams:59684d3faf327746d43b7d74”,
“fields” : [ ],
“use_dis_max” : true,
“tie_breaker” : 0.0,
“default_operator” : “or”,
“auto_generate_phrase_queries” : false,
“max_determinized_states” : 10000,
“enable_position_increments” : true,
“fuzziness” : “AUTO”,
“fuzzy_prefix_length” : 0,
“fuzzy_max_expansions” : 50,
“phrase_slop” : 0,
“escape” : false,
“split_on_whitespace” : true,
“boost” : 1.0
}
}
],
“disable_coord” : false,
“adjust_pure_negative” : true,
“boost” : 1.0
}
}
],
“disable_coord” : false,
“adjust_pure_negative” : true,
“boost” : 1.0
}
},
“aggregations” : {
“gl2_filter” : {
“filter” : {
“bool” : {
“must” : [
{
“range” : {
“timestamp” : {
“from” : “2017-12-18 07:21:56.175”,
“to” : “2017-12-18 07:26:56.175”,
“include_lower” : true,
“include_upper” : true,
“boost” : 1.0
}
}
},
{
“query_string” : {
“query” : “streams:59684d3faf327746d43b7d74”,
“fields” : [ ],
“use_dis_max” : true,
“tie_breaker” : 0.0,
“default_operator” : “or”,
“auto_generate_phrase_queries” : false,
“max_determinized_states” : 10000,
“enable_position_increments” : true,
“fuzziness” : “AUTO”,
“fuzzy_prefix_length” : 0,
“fuzzy_max_expansions” : 50,
“phrase_slop” : 0,
“escape” : false,
“split_on_whitespace” : true,
“boost” : 1.0
}
}
],
“disable_coord” : false,
“adjust_pure_negative” : true,
“boost” : 1.0
}
},
“aggregations” : {
“gl2_extended_stats” : {
“extended_stats” : {
“field” : “Flag”,
“sigma” : 2.0
}
}
}
}
}
}}] lastShard [true]
org.elasticsearch.transport.RemoteTransportException: [dc-log-03][10.1.1.23:9300][indices:data/read/search[phase/query]]
Caused by: java.lang.IllegalArgumentException: Expected numeric type on field [Flag], but got [keyword]

But the graylog-internal template for gl2_* mapping type is keyword.

        "dynamic_templates": [
           {
              "internal_fields": {
                 "match": "gl2_*",
                 "mapping": {
                    "type": "keyword"
                 }

Graylog is using the dynamic mapping feature of Elasticsearch, once a field is generated the type of that ingested content is used.

To avoid that you have multiple field types in different indices having a custom mapping is one solution. Check the content of the fields in a processing pipeline would be another solution.

Ok, thanks for the information.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.