Hi,
I’m currently experiencing a sorting issue on custom fields. I followed the guide from Graylog documentation to create custom mapping rules so I’ll be able to sort on different fields.
My graylog-custom-mapping.json looks like this:
"template": "graylog_*",
"mappings" : {
"message" : {
"properties" : {
"process_id" : {
"type": "long"}
}
}
}
}
When running curl -X GET ‘http://localhost:9200/graylog_deflector/_mapping?pretty’
I can see that this field was added. I rotated my indexes and when running curl -X GET ‘http://localhost:9200/graylog_15/_mapping?pretty’ (graylog_15 created after rotation) I can see this field was added. However when I’m trying to use process_id for sorting purposes it crashes with:
and in ES logs I can see that it tried to use the graylog_10 index as well for search
Even if my Graylog search is _index:graylog_15
I’m wondering if it’s possible to add custom mapping rules to old indexes as well - in my case all indexes from graylog_1 to graylog_15 so I can use field process_id (among others) for search/sorting.
I found quite a few questions describing the same problem, but was not able to understand where exactly is the problem.
Thank you
Severin