SuterDEV

Graylog fix wrong field type

,

Sometimes you’ll get a indexing error, because the field type couldn’t be matched. This will look something like this:

ElasticsearchException[Elasticsearch exception [type=illegal_argument_exception, reason=mapper [serial_number] cannot be changed from type [keyword] to [date]]]

You can fix this, by changing the mapping in opensearch. Usually you do this directely on the index, but with roating indexes like in graylog, this won’t work. That’s why we need to create a template, that will automatically add the mapping to all new indexes. Like this:

echo '{
  "order" : 10,
  "template": "myindex_*",
  "mappings" : {
      "properties" : {
          "serial_number" : {
            "type" : "keyword"
          }
      
    }
  }
}' > myindex-mappingfix-serial_number.json

curl -X PUT -d @'myindex-mappingfix-serial_number.json' -H 'Content-Type: application/json' 'http://localhost:9200/_template/myindex-mappingfix-serial_number?pretty'

Insert the name of the index (for example graylog, if it is the default index set), and the field name.

After adding this template, you’ll have to rotate the index and it will be applied.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.