Changing beat.hostname to not_analyzed

Hi,

I've been trying to solve this issue all day, no solutions online work for me.

When using topbeat (or another beat), the beat.hostname field (string), comes up as analyzed, screwing up the graphs.

I saw that there are two solutions to this:

  1. Automatically load a template where you specify "not_analyzed" for the field.
  2. Manually load the same thing using an HTTP PUT.

I cannot do #2 due to configurations of my network. I tried #1, with no results.

When changing the json.template, I succesfully see the changes in
http://localhost:9200/_template?pretty


(this is not all the json, just the relevant part)

"@timestamp" : {
    "type" : "date"
},
"hostname" : {
    "index" : "not_analyzed",
    "type" : "string"
},

That didn't work so I tried making "beat" on the same level as @timestamp, and adding timestamp as a property of that


"@timestamp" : {
        "type" : "date"
      },
"beat" : {
  "properties" : {
      "hostname" : {
            "index" : "not_analyzed",
            "type" : "string"
       }
   }
},

with no results, the field still comes back as analyzed.

Anyone have any ideas?

Thanks

Reference this thread: https://discuss.elastic.co/t/kibana-splitting-fields-with-dots-or-spaces-in-them/61298

I'm not sure I understand.

Basically we need to

  1. Create the template (either automatically through the config or by using PUT like you did there)
  2. Re-index

For the re-index, is it enough to just delete the index pattern in kibana and re-create it?

If not, the re-indexing that you show is with a POST operation. I can't do that due to my network configuration. Is there anything I can put in my configs that would automatically re-index once a change is detected?

Indexes created after you make the template will apply to all new indexes created so you should be fine going forward for those. The issues is that that same field will be not_analyzed in new indexes, and still analyzed in old indexes, which is bad. I'll defer on someone else on the list for the auto-reindex, but I didn't see anything that would do that.