Github user merrimanr commented on the issue:
https://github.com/apache/metron/pull/1253
I'm not sure if you know the answer to this @nickwallen because it predates
this PR, but is the intention to convert all `metron_alert.*` fields to keyword
types? I can see the motivation behind doing this because we may not be aware
of all field types in the various sensors that could be added to a metaalert.
Maybe @justinleet knows?
If my assumption is true then we need another small change to make that
happen. Currently the `match_mapping_type` attribute is set to `string` which
will only convert string types. If we want to convert all fields, it needs to
be:
```
"dynamic_templates": [
{
"alert_template": {
"path_match": "metron_alert.*",
"match_mapping_type": "*",
"mapping": {
"type": "keyword"
}
}
```
Notice `string` has been changed to `*`.
---
