Hi,
seems like I am in a similar situation as described in Compound(long,string) after setting type hint in graylog extractor but I am unable to get Graylog/Elastic to treat some fields as a number.
- We have fields (
bytes_sentandbytes_received, potentially more) that were automatically stored as typekeyword - We changed the Graylog index template to make sure it is stored as
longas it is described in the documentation ( https://docs.graylog.org/en/3.2/pages/configuration/elasticsearch.html#custom-index-mappings ) - We rotated the active write index and waited 30 minutes
- We verified that Elastic treats it as
long(see below) - When searching within the last 5 minutes Graylog still shows the field as compound type (in the query input as well as in the side-menu field list)
How do I get Graylog to realize the type changed when working only with new data?
Now being able to use the chart function usually available by clicking on the field is really annoying.
Thanks!
Some more information:
- Graylog Enterprise customer
Graylog 3.2.4+a407287 on <redacted> (Oracle Corporation 1.8.0_252 on Linux 3.10.0-1127.el7.x86_64)- As of now only a single index set is configured
Excerpt from curl -X GET 'http://localhost:9200/graylog_deflector/_mapping?pretty'
"bytes_received" : {
"type" : "long"
},
"bytes_sent" : {
"type" : "long"
},
