Find source of compound fields

fadenb · June 9, 2020, 10:56am

Hi,

seems like I am in a similar situation as described in Compound(long,string) after setting type hint in graylog extractor but I am unable to get Graylog/Elastic to treat some fields as a number.

We have fields (bytes_sent and bytes_received, potentially more) that were automatically stored as type keyword
We changed the Graylog index template to make sure it is stored as long as it is described in the documentation ( https://docs.graylog.org/en/3.2/pages/configuration/elasticsearch.html#custom-index-mappings )
We rotated the active write index and waited 30 minutes
We verified that Elastic treats it as long (see below)
When searching within the last 5 minutes Graylog still shows the field as compound type (in the query input as well as in the side-menu field list)

image754×149 2.56 KB

How do I get Graylog to realize the type changed when working only with new data?
Now being able to use the chart function usually available by clicking on the field is really annoying.

Thanks!

Some more information:

Graylog Enterprise customer
Graylog 3.2.4+a407287 on <redacted> (Oracle Corporation 1.8.0_252 on Linux 3.10.0-1127.el7.x86_64)
As of now only a single index set is configured

Excerpt from curl -X GET 'http://localhost:9200/graylog_deflector/_mapping?pretty'

          "bytes_received" : {
            "type" : "long"
          },
          "bytes_sent" : {
            "type" : "long"
          },

jan · June 9, 2020, 11:40am

just one guess - did you have in your older indices data from the current time?

If you look what indices are used for search is that only the current one or older indices too?

tmacgbay · June 9, 2020, 1:22pm

Also - make sure your search is only against the index you corrected - if you are searching across streams/indexes you may be accidentally including and index where bytes_sent has not been fixed. if you expand a message on the search you can see all that similar to this:

fadenb · June 9, 2020, 1:42pm

just one guess - did you have in your older indices data from the current time?

Not that I would be aware of. After index timeframe recalculation the timeframes displayed seem ok so no other index should be involved.

If you look what indices are used for search is that only the current one or older indices too?

Only the current one (currently graylog_129) is used.

system · June 23, 2020, 1:47pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Compound(long,string) after setting type hint in graylog extractor Graylog Central (peer support)	5	1536	September 20, 2019
Change Graylog 'keyword' field to 'long' Graylog Central (peer support)	2	680	September 22, 2021
Why graylog convert my INT to String Graylog Central (peer support)	2	472	October 10, 2022
Fields show unknown type after Graylog Update from 2.4 to 3.2 Graylog Central (peer support)	2	627	June 1, 2020
Track down what's causing a compound field Graylog Central (peer support)	1	426	April 17, 2020

Find source of compound fields

Related Topics