Hello,
I'm using Logstash to retrieve some e-mails and put them in Elasticsearch to visualize them with Kibana. It works well but now I want to customize the Elasticsearch template I use.
I want some fields to be analyzed and others not. I created the following template
{
"template" : "trend-*",
"settings" : {
"number_of_shards" : 3,
"index.refresh_interval" : "5s"
},
"mappings" : {
"_default_" : {
"_all" : {"enabled" : true},
"dynamic_templates" : [ {
"not_analyzed_string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string", "index" : "not_analyzed", "omit_norms" : true, "doc_values" : true
}
}
} ],
"properties" : {
"@version": { "type": "string", "index": "not_analyzed" },
"geoip" : {
"type" : "object",
"dynamic": true,
"path": "full",
"properties" : {
"location" : { "type" : "geo_point" }
}
},
"action" : {
"type" : "string",
"index" : "analyzed"
},
"ip" : {
"type" : "ip",
"index" : "analyzed",
"store" : true
},
"message" : {
"type" : "string",
"index" : "analyzed"
},
"path" : {
"type" : "string",
"index" : "analyzed"
}
}
}
}
}
I understand it like this:
- by default all fields are not_analyzed
- some specific fields (action, ip, message, path) are analyzed
But after uploading it (with curl -XPUT) I still have others fields ('host' for example) which are marked as analyzed (in Kibana settings).
Do you know what can be wrong in my template? And how to fix it?
thanks