We are using NXLog to send IIS logs to Elasticserach/graylog.
In the NXLog config file, the field type for the time-taken field is Integer, but in Elasticseach, its field type is Keyword. Why? And how can I (through graylog) set the type in Elasticserach?
Check Custom index mappings:
https://docs.graylog.org/en/4.0/pages/configuration/elasticsearch.html#custom-index-mappings
Thanks, doing that. But I know that in Elasticsearch you can’t change a field type once it’s been created. Should I just wait until the current index is replaced by the new one (which I assume graylog does when the current one gets too big?). I actually have no idea how graylog works.
If you process a message with a custom field but no custom index mapping then ES will auto-type it, that’s why it’s keyword. Create the custom index mapping in ES and then rotate the active index. If everything’s set up correctly the data type on the field in the new index will be what you configure. Otherwise you can just wait for the active index to rotate based on the Graylog configuration, which is by default 1,000,000 messages I think.
I see thanks, so it should fix itself soon. I don’t have access to the graylog administrative/Elasticsearch tools, as it’s managed by another department in my company.
Is the index just for your data? It’s very quick to rotate an active index, but if you have data retention requirements and they’re defined by number of indexes (like ours are) and time frame (like ours are) then if you prematurely rotate an index you may fail to meet your retention requirements unless you modify the configuration to account for the early rotation. I suppose there are also performance concerns if your ES performance is extremely marginal but if that’s the case you have bigger problems I think, so it’s kind of moot.
If the index contains only your data and you don’t need to worry about any of that there shouldn’t be an issue rotating the index. Shouldn’t hurt to ask at least.
i can’t do anything. Totally out of my control lol.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.