Search Results with Numeric Extracted are Not Greater than Query

I am using a regex extractor to pull a port number from logs. I can see that the regex is correct because every log message shown in search results show the correct extracted field. I also have applied the “numeric” conversion on the extractor. However, when I search for port_field:>20000 I still get results with ports lower than 20,000.

Any ideas?

Query looks good to me. I could imagine that the field type currently is a compound, or remained a
string. When you expand a message, then click on the field name a menu opens. On top of that menu is displayed what type that field is.

grafik

What type is the field in question?

You’re correct, it’s still a string. I’m confused because I have a numeric converter enabled.

This is because the elastic field type mapping for that field is still string. After the next index rotation, the type for the field will be numeric. You can force this by configuring a mapping for the template: Elasticsearch — Graylog 4.0.0 documentation

But that probably won’t be necessary. However, as long as you have indices in your set that have different types for a field, some functionallity like statistics will not work. I’m not sure about search queries, probably it will work as expected for data in the new index, and produce unhelpful results for data in the old indexes time range.

1 Like

Is there a way to force everything to be indexed again, properly using the extractor, so I can use the extracted values to filter old data?

You would need to reindex it (API is called Reindex API), which essentially creates a new Index. Then you could perform a switcherro of some sorts (Deleting the old, renaming the new). We had this situation on several occasions but in the end just waited for the Issue to resolv it self by the index rotation/deletion.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.