How can I change fields type on elasticsearch without stop my services?

Question

In last two days,I search in google and looking for information in www.elastic.co,but I still feeling puzzled.Here is my actual situation:

I learn and set up ELK services at last month.I import my logs to elasticsearch via logstash.

But I got a problem when I make visualization chart,I need sum a field to do that,but I got error:

this field type is string,need number to sum! 

A number is required to calculate the sum,this makes sense,so I try change the field type from string to number(long).

And I maked that,here is my solution:

1. post a template to elasticsearch and create new index
2. set logstash output to new index and restart it
3. reindex old index to new one
4. delete old index

Here is my question:

Can I skip the second step?

I don't want to restart logstash,because it receive data in real time and I don't want it miss some data.

If I dont't restart logstash,I can't change output to new index.

It makes me confused.

Answer 1

Once a field type is set, it cannot be changed.

According to the official guide:

Although you can add to an existing mapping, you can’t change existing field mappings. If a mapping already exists for a field, data from that field has probably been indexed. If you were to change the field mapping, the indexed data would be wrong and would not be properly searchable.

So your only option is reindexing the whole index. The good news is that it is possible to be done with zero downtime. The process is explained here. It is made through the use of aliases, the index changes but both are pointing to the same alias, including Logstash I guess, in that case you will not need to restart it.

Anyway, if possible it would be better to set your mappings beforehand with the correct types for each field. If you don't know them beforehand, maybe a more accurate template could be done. Even with zero downtime, reindexing the whole index could be kind of slow depending on the index size.