Field not analyzing

MalinkinSA · July 28, 2021, 12:09pm

Hello,
We have a graylog 4.0.7 and for parsing we use Grok patterns extractor. But all field what was created by this grok - not analyzed. And we can’t search by the custom field without * or fulltext searching.
How we can change it? I tried change index template, but after index rotation all my changes lost.

MalinkinSA · July 28, 2021, 12:38pm

Hm, i think i found solution. I must add type: “text” and analyzer: “standard” for the interesting me field in this custom template and merge it? And this field have a maping for all index where they found?

gsmith · July 29, 2021, 2:44am

Hello,

Could you show your configurations and to be honest, I have no clue why this is happing to you.

Could you explain in greater detail about this?

There might be some information in here about indices.

MalinkinSA · August 11, 2021, 2:20pm

Hello, @gsmith
I find solution in custom template mapping, but one monet baffles me. If a want add a few mapping in different indexes i must create this filed in all of this indexes?

@jan
It’s correct that i can’t describe few different templates in graylog-custom-mapping-7x.json?

gsmith · August 12, 2021, 1:04am

Instead of GROK can you use regex instead?

MalinkinSA · August 12, 2021, 6:58am

I try both, nothing changes, default type - keyword

gsmith · August 13, 2021, 2:06am

Can you show what configuration you have made or wanted to make such as Templates and your Grok patterns extractor. In my lab I have created a Grok patterns extractor then rotated my indices and my Grok patterns extractor still created fields I needed. Im not see the same issue as you are. Not knowning how you implemented this it hard to troubleshoot.

MalinkinSA · August 13, 2021, 6:09am

No, i speak about another issue.
The field is not lost after rotation. For example i use Grok %{NUMBER:src_port} for extract src_port from event. In elastic, this field was created with type - keyword. And after rotation this field was with keyword type.
But in my case me need switch type of field from keyword to integer, and this i can make only with custom template. But in my cluster i have a few indexes where this field exist and indexes where not exist. And therefore, through custom mapping, when I have to do this field for all my indices

gsmith · August 13, 2021, 9:49pm

Ok so you modified your default INDEX template and when it rotates you lose that configured mapping keyword --> integer.

I have been working with something like this and the following links helped out a lot.

Then I had to read this to fine turn my knowledge and understand of Elasticsearch.

Custom index mappings

You might have missed a step.
Hope this helps

MalinkinSA · August 16, 2021, 7:15am

Yep, but all fields must describe in graylog-custom-mapping with specified index_pattern.
It’s work, but in my case i must use template as * and all filed created in all new indexes

But it’s better than nothing

system · August 30, 2021, 7:16am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Specific field not indexed correctly and search not working Graylog Central (peer support)	8	2900	November 12, 2020
Upgrading to Elasticsearch 7.10 / problem with custom index template Graylog Central (peer support)	10	2324	December 14, 2020
Custom mapping not applied to indices Graylog Central (peer support)	5	3092	December 3, 2019
A field not added to custom template Graylog Central (peer support)	3	1502	March 9, 2018
Graylog indexer failure even after custom mapping Graylog Central (peer support)	4	680	March 7, 2019

Field not analyzing

Related topics