With a clean install of graylog, I am able to “show top values” for a given field. However, i added a custom mapping which treated all fields as strings, e.g.
"dynamic_templates": [
{
"store_generic": {
"mapping": {
"type": "text"
},
"match_mapping_type": "*"
}
}
]
after creating this mapping the ‘show top values’ field became disabled so I delete the custom mapping in elastic search so it looks like it originally did
"dynamic_templates": [
{
"internal_fields": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"match": "gl2_*"
}
},
{
"store_generic": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
Note that I rotated the active write index after deleting the custom mapping. However, the ‘show top values’ option is still disabled, even though the field is showing as type keyword, i.e.
curl -H 'Content-Type: application/json' 'https://graylogserver/graylog_deflector?pretty' | jq '.graylog_30.mappings.message.properties.Application'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6973 100 6973 0 0 63390 0 --:--:-- --:--:-- --:--:-- 63390\
{
"type": "keyword"
}
What do I need to do in order to be able to ‘show top values’ again?
Thanks for any help,
Darragh