Skip to content

Instantly share code, notes, and snippets.

@truekonrads

truekonrads/elasticsearch update fields.md

Created July 24, 2017 13:55
Show Gist options
  • Save truekonrads/a58488547d30a7121542df8e78bc1618 to your computer and use it in GitHub Desktop.
Save truekonrads/a58488547d30a7121542df8e78bc1618 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
elasticsearch update fields.md

How to update ElasticSearch fields

Suppose you have a field which you have ingested as "text", but it is actually an IP address (sometimes). You would like to treat it as an IP address, but can't or won't re-create the index. Then do this:

$ curl -XPUT 'http://localhost:9200/myindex/logs/_mapping
{
  
        "properties": {
          "Network Information Network Address": {
            "type": "text",
            "fields": {
              "ip": {
                "type":"ip",
                "ignore_malformed": true
              }
            }
          },
          
          "Network Information Source Network Address": {
            "type": "text",
            "fields": {
              "ip": {
                "type":"ip",
                "ignore_malformed": true
              }
            }
          }
        }
      }

Note that it may be the case that not everything fed into will be an IP address, in Windows event logs if value is unavailable, Windows will record a signle dash ("-"). This is why we specify ignore_malformed This will create fields for your types. Then update the fields using the _update_by_query API

$ curl -XPOST 'http://localhost:9200//myindex/logs/_update_by_query?conflicts=proceed
{
  "query":{
    "exists": {"field": "Network Information Network Address"}
  }
}

$ curl -XPOST 'http://localhost:9200//myindex/logs/_update_by_query?conflicts=proceed
{
  "query":{
    "exists": {"field": "Network Information Source Network Address"}
  }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment