Field types in GL5 with OS2.5

Hello dear community!

I have the following annoyance:
Upgraded to GL5.0.2 from 4.3.11
I had customized filed types for IP-related stuff made with _template (in ES 7.8 I had before upgrade)
Now if I use template it totally messes up all “automagical” field mappings and results in unusable data, where ALL BUT fields configured in the template are considered as “text” type and no log rows are displayed only an OS-error/warning. Deleting template and rotates “fixes” problem but then fex all the IP-related fields are of the type “keyword” and no network-searches can be made.

That was not the case before, template changed ONLY given field types.

  • OS Information:
    Centos7
    GL 5.0.2
    OS 2.5
    Mongo 5.0

So far I have tried (in OS) _index_template and _index_template with _component_template ; same result.

There must be a way other than making a huge template from results from _mapping query ?!

Any help dearly appriciated :slight_smile:

Minor UPDATE:

My main interest is Fortgate firewall logs btw. And graylog is GREAT with views etc!

I ran “as default” couple of hours, and then made the _index_template using data from _mapping API.
Edited results to my liking and set the default with dynamic_templates

Now I can search IPs again.
Hope this helps someone while this gets properly sorted out.

Hey,

Could you explain this in greater detail, i.e. did you make that “IP” field?

I try to be more clear.

  1. All fields were of type “keyword” after upgrade to 5.0.2 (I was using deprecated _template)
  2. Updated my _template to _index_template with the better (the old mapping I was using before) field types fex. ip-address fields → type “ip”. This step broke everything in the mappings like the default field recognition (from which I know nothing of). all but the fields in the _index_template where applied as type “text” , biggest fail the timestamp fields, hence the errors.
  3. removed template and ran for about 4 hours, then made a new _index_template from the results. then got the correct timestamp fields correctly mapped etc.
  4. applied the new _index_template and now things run like I want them to. (ok minor changes still waiting for the time to do them)
1 Like

@laakkus

I see now, Thank you for sharing.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.