Forcing numeric fields

jtkarvo · May 2, 2017, 12:26pm

hi,

what is the correct way to force fields to be numeric?

As an example: message

timestamp=XXXX-XX-XXTXX:XX:XX red=0 yellow=44 green=60

If I just create an extractor that extracts key-value pairs, the resulting fields are not numeric. I tried making a custom index mapping, but that does not seem to help. Do I need to make an explicit extractor for all fields that has a “Numeric” converter in it?

If the field is first at some point a string, and then I make a numeric converter to make the future messages to have a numeric field, do I need to change the field name, or can the generate chart function skip the non-numeric values, and make the chart on the numeric ones?

jochen · May 2, 2017, 1:36pm

You could use Grok to match these fields. Grok patterns can have a type hint per pattern, e. g. red=%{NUMBER:int}.

jtkarvo · May 3, 2017, 6:30am

hi,

thanks for the suggestion. I tried this. Did not work: the generate chart still complains that it can only make graphs for numeric fields.

Btw, I am running Graylog 2.2.3+7adc951

jochen · May 3, 2017, 7:24am

Did you remove the previously indexed messages or restricted the time range of the search to after you’ve changed the type of the fields?

Additionally, you should create a custom index mapping with the correct types: http://docs.graylog.org/en/2.2/pages/configuration/elasticsearch.html#custom-index-mappings

jtkarvo · May 3, 2017, 8:45am

hi,

I changed the field name to an unused one. I tried both with and without custom index mapping, where I used “type” : “integer”

jtkarvo · May 3, 2017, 10:34am

What are the allowed Elasticsearch data types in Graylog that are considered numeric? Or should there be some other parameter that must be set for the field in the custom mapping to make the “Generate Chart” to work?

jtkarvo · May 4, 2017, 9:04am

hi,

I think I found the solution. The Generate Chart tool does not seem to accept “integer” type fields, but requires “long” fields to work. Changing to “long” solved my problem.

jtkarvo · May 4, 2017, 9:35am

… no, this is frustrating; now it seems that the problem is not between “int” and “long”. My guess is that if the mapping changes between different indices, the tool refusest to draw a graph, whether the actual messages have been deleted or not.

After changing the field name again, I got it working; using a custom mapping and GROK hints.

Topic		Replies	Views
Problem with numeric field created by JSON extractor Graylog Central (peer support)	5	2424	July 5, 2017
Change Graylog 'keyword' field to 'long' Graylog Central (peer support)	2	680	September 22, 2021
Custom mapping not applied to indices Graylog Central (peer support)	5	2965	December 3, 2019
Unexpected behavior for handling numeric field Graylog Central (peer support)	6	418	February 4, 2019
Search Results with Numeric Extracted are Not Greater than Query Graylog Central (peer support)	6	3571	July 3, 2021

Forcing numeric fields

Related Topics