Grok patterns not able to parse numbers after index rotation


(Eman Zaman) #1

I started using grok patterns recently to parse numeric fields in log messages. Everything was perfect until the index rotation happened in Graylog and suddenly Elasticsearch started complaining that there is a conflict of field type for the older and the new index. In the older index the extracted field is still numeric but in the new index it is showing it as string.

Before this, I have used numerical converters in extractors to extract a numeric field from log messages and those fields are still numeric in the new index.

I am using the following versions:

Graylog : 2.4.3
Elasticsearch: 5.6.8
Mongodb: 3.6.2

Please help
Thanks.


(Tess) #2

I’ve had run-ins with this situation too, leading to excessive amounts of indexing failures. One of the ways to force field types is by using “templates” in ElasticSearch. For example, here’s my topic where I had indexing issues:

And its follow-up

The problems I describe are not the same as the ones you’re experiencing. I’m linking the two topics as an example of how I enforced field types with templates.


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.