How to handle elasticsearch mapping error due to different data type

Graylog Central (peer support)
,
1

Hi All,

We have a message field called ‘status’ which can have either number(200) or string (‘Pending’).
Currently we are using elasicsearch dynamic mapping and due to this we are getting numberFormat exceptions whenever we have string data to status field.

Example:
When first message comes with status field value 200 to elasticsearch, it maps this field with data type as long. later after if status field get some string data then we will have numberFormat exception.

Tried below solutions,

  1. We tried to change the status field mapping on elasticsearch, but unable to convert field type from long to text
  2. We have looked around changing default static mapping from graylog2, but this limits us to have fixed set of fields in the log.

Please let us know for the best approach in order to solve this issue.

2

You could use the Processing Pipelines to enforce a fixed data type for the “status” field and either convert it into the correct type or rename the field.

:arrow_right: http://docs.graylog.org/en/2.4/pages/pipelines.html

3

use some kind of processing pipeline rule like mentioned in this posting:

to have one status field with number and one with a string - based in the field content.

4

@jochen and @jan Thanks for the quick help. This helped to fix my problem.

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.