I am using a regex extractor to pull a port number from logs. I can see that the regex is correct because every log message shown in search results show the correct extracted field. I also have applied the “numeric” conversion on the extractor. However, when I search for port_field:>20000 I still get results with ports lower than 20,000.
Query looks good to me. I could imagine that the field type currently is a compound, or remained a
string. When you expand a message, then click on the field name a menu opens. On top of that menu is displayed what type that field is.
This is because the elastic field type mapping for that field is still string. After the next index rotation, the type for the field will be numeric. You can force this by configuring a mapping for the template: Elasticsearch — Graylog 4.0.0 documentation
But that probably won’t be necessary. However, as long as you have indices in your set that have different types for a field, some functionallity like statistics will not work. I’m not sure about search queries, probably it will work as expected for data in the new index, and produce unhelpful results for data in the old indexes time range.
You would need to reindex it (API is called Reindex API), which essentially creates a new Index. Then you could perform a switcherro of some sorts (Deleting the old, renaming the new). We had this situation on several occasions but in the end just waited for the Issue to resolv it self by the index rotation/deletion.