My current template for elasticstack(v6.2) is as follows:
{
"template": "log*",
"settings": {
"number_of_shards": 2
},
"mappings": {
"_default_": {
"dynamic_templates": [{
"date_fields": {
"mapping": {
"format": "dateOptionalTime",
"doc_values": true,
"type": "date"
},
"match": "*",
"match_mapping_type": "date"
}
}, {
"byte_fields": {
"mapping": {
"doc_values": true,
"type": "byte"
},
"match": "*",
"match_mapping_type": "byte"
}
}, {
"double_fields": {
"mapping": {
"doc_values": true,
"type": "double"
},
"match": "*",
"match_mapping_type": "double"
}
}, {
"float_fields": {
"mapping": {
"doc_values": true,
"type": "float"
},
"match": "*",
"match_mapping_type": "float"
}
}, {
"integer_fields": {
"mapping": {
"doc_values": true,
"type": "integer"
},
"match": "*",
"match_mapping_type": "integer"
}
}, {
"long_fields": {
"mapping": {
"doc_values": true,
"type": "long"
},
"match": "*",
"match_mapping_type": "long"
}
}, {
"short_fields": {
"mapping": {
"doc_values": true,
"type": "short"
},
"match": "*",
"match_mapping_type": "short"
}
}, {
"string_fields": {
"mapping": {
"index": "not_analyzed",
"omit_norms": true,
"doc_values": true,
"type": "string"
},
"match": "*",
"match_mapping_type": "string"
}
}],
"properties": {
"@version": {
"index": "not_analyzed",
"doc_values": true,
"type": "string"
}
},
"_all": {
"enabled": true
}
}
},
"aliases": {}
}
And when I do a
GET log_name/_mapping
the output is this:
{
"log-2018-04-03": {
"mappings": {
"doc": {
"dynamic_templates": [{
"message_field": {
"path_match": "message",
"match_mapping_type": "string",
"mapping": {
"norms": false,
"type": "text"
}
}
},
{
"string_fields": {
"match": "*",
"match_mapping_type": "string",
"mapping": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"norms": false,
"type": "text"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "keyword"
},
"bytesReceived": {
"type": "long"
},
"bytesSent": {
"type": "long"
},
"clientIP": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"device": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"geoip": {
"dynamic": "true",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"message": {
"type": "text",
"norms": false
},
"name": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"os": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"referer": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"response": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"timetaken": {
"type": "long"
},
"type": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"uriStem": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"_default_": {
"dynamic_templates": [{
"message_field": {
"path_match": "message",
"match_mapping_type": "string",
"mapping": {
"norms": false,
"type": "text"
}
}
},
{
"string_fields": {
"match": "*",
"match_mapping_type": "string",
"mapping": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"norms": false,
"type": "text"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "keyword"
},
"geoip": {
"dynamic": "true",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
}
}
}
}
}
}
So now how would I change this to accomodate ip and geoip fields in the field mappings or should I change my logstash configuration file (but after some digging I found out that we cannot map fields from logstash's configuration file. Currently ip's are treated as strings in my elasticstack.