Show top values disabled even after fixing 'mappings'

With a clean install of graylog, I am able to “show top values” for a given field. However, i added a custom mapping which treated all fields as strings, e.g.

"dynamic_templates": [
                {
                    "store_generic": {
                        "mapping": {
                            "type": "text"
                        },
                        "match_mapping_type": "*"
                    }
                }
            ]

after creating this mapping the ‘show top values’ field became disabled so I delete the custom mapping in elastic search so it looks like it originally did

"dynamic_templates": [
{
"internal_fields": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"match": "gl2_*"
}
},
{
"store_generic": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],

Note that I rotated the active write index after deleting the custom mapping. However, the ‘show top values’ option is still disabled, even though the field is showing as type keyword, i.e.

curl -H 'Content-Type: application/json' 'https://graylogserver/graylog_deflector?pretty' | jq '.graylog_30.mappings.message.properties.Application'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6973  100  6973    0     0  63390      0 --:--:-- --:--:-- --:--:-- 63390\
{
  "type": "keyword"
}

What do I need to do in order to be able to ‘show top values’ again?

Thanks for any help,
Darragh

I think you will have to wait until the old data (with more than one type for the fields) is deleted either by your retention settings or by you manually. Once that is done, the “show top values” should become available again.

1 Like

To add to @H2Cyber’s feedback I think you can manually archive the index with the misbehaving data type and achieve the same effect, assuming you want to retain it for some period.

Thank you both for your help!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.