Confusions around ELK6 types

Elastic Stack Elasticsearch
1

Hi guys,

I am totally confused about document types in new ELK.

I am now migrating from v5 to v6. When reading the Elasticsearch guide on getting rid of types (https://www.elastic.co/guide/en/elasticsearch/reference/master/removal-of-types.html#_custom_type_field) it says that it is best to use "_doc" mapping name as the only mapping type in index templates. Fair enough.

Now, beats are assuming that default event type is always "doc" - Document_type deprecated?

Also when reading logstash documentation https://www.elastic.co/guide/en/logstash/current/upgrading-logstash-6.0.html it mentions that to fix issue with multiple types one can set document_type => doc (and not _doc) even though it is actually deprecated.

What is true then? Should we use doc? or maybe _doc?
Best Regards

When reading

2 Likes
2

We’ve renamed ELK to the Elastic Stack, otherwise Beats and APM feel left out! :wink: Check out https://www.elastic.co/elk-stack

In regards to your question though, both Logstash and Filebeat use doc. You are right about Elasticsearch being different though, I will raise that internally.

Whatever you choose though, it just needs to be the same if you have different sources going into the one index.

2 Likes
3

Thanks for quick reply,

IMO it is actually major problem.

When using available elastic.co docs on migration from 5x to 6x people will end up with documents not being indexed.

  1. According to the docs they will create _doc mappign type name so it will be good when 7.0 is released
  2. Then they will remove document_type settings from logstash(cause it is deprecated).
  3. They will end up with error the final mapping would have more than 1 type: [_doc, doc] because logstash will set doc and elasticsearch based on mapping will set _doc.

Or maybe I am doing something wrong :stuck_out_tongue: - but thats what happened to me

1 Like
4

Same here : I had to redo all my template mappings to change type from "_doc" to "doc" because of Logstash behavior.

Note that this has already been reported here a month ago : Default value of the type field

5

Seems like elastic team also got lost in all this document_type changes :slight_smile:

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.