Field not analyzing

MalinkinSA · July 28, 2021, 12:09pm

Hello,
We have a graylog 4.0.7 and for parsing we use Grok patterns extractor. But all field what was created by this grok - not analyzed. And we can’t search by the custom field without * or fulltext searching.
How we can change it? I tried change index template, but after index rotation all my changes lost.

MalinkinSA · July 28, 2021, 12:38pm

Hm, i think i found solution. I must add type: “text” and analyzer: “standard” for the interesting me field in this custom template and merge it? And this field have a maping for all index where they found?

gsmith · July 29, 2021, 2:44am

Hello,

Could you show your configurations and to be honest, I have no clue why this is happing to you.

Could you explain in greater detail about this?

There might be some information in here about indices.

MalinkinSA · August 11, 2021, 2:20pm

Hello, @gsmith
I find solution in custom template mapping, but one monet baffles me. If a want add a few mapping in different indexes i must create this filed in all of this indexes?

@jan
It’s correct that i can’t describe few different templates in graylog-custom-mapping-7x.json?

gsmith · August 12, 2021, 1:04am

Instead of GROK can you use regex instead?

MalinkinSA · August 12, 2021, 6:58am

I try both, nothing changes, default type - keyword

gsmith · August 13, 2021, 2:06am

Can you show what configuration you have made or wanted to make such as Templates and your Grok patterns extractor. In my lab I have created a Grok patterns extractor then rotated my indices and my Grok patterns extractor still created fields I needed. Im not see the same issue as you are. Not knowning how you implemented this it hard to troubleshoot.

MalinkinSA · August 13, 2021, 6:09am

No, i speak about another issue.
The field is not lost after rotation. For example i use Grok %{NUMBER:src_port} for extract src_port from event. In elastic, this field was created with type - keyword. And after rotation this field was with keyword type.
But in my case me need switch type of field from keyword to integer, and this i can make only with custom template. But in my cluster i have a few indexes where this field exist and indexes where not exist. And therefore, through custom mapping, when I have to do this field for all my indices

gsmith · August 13, 2021, 9:49pm

Ok so you modified your default INDEX template and when it rotates you lose that configured mapping keyword --> integer.

I have been working with something like this and the following links helped out a lot.

Then I had to read this to fine turn my knowledge and understand of Elasticsearch.

Custom index mappings

You might have missed a step.
Hope this helps

MalinkinSA · August 16, 2021, 7:15am

Yep, but all fields must describe in graylog-custom-mapping with specified index_pattern.
It’s work, but in my case i must use template as * and all filed created in all new indexes

But it’s better than nothing

Topic		Replies	Views
Specific field not indexed correctly and search not working Graylog Central (peer support)	7	3037	October 29, 2020
Adding custom index mapping Graylog Tech Challenges	0	1073	July 2, 2021
Graylog indexer failure even after custom mapping Graylog Central (peer support)	3	698	February 21, 2019
Custom fields are searchable? Graylog Central (peer support)	4	2782	April 14, 2017
Custom mapping not applied to indices Graylog Central (peer support)	4	3149	November 19, 2019

Field not analyzing

Related topics