Create a .raw field for a given field via Dynamic Template


(KingBob) #1

Hello,

I would like to modify the default Logstash template to create a host.raw field that is not analyzed (so it can be used in a terms query from Grafana).

I tried the following but it is not working.

Can anyone show me where I'm going wrong?

{
  "order" : 0,
  "version" : 50005,
  "template" : "logstash-*",
  "settings" : {
    "index" : {
      "number_of_shards" : "2",
      "number_of_replicas" : "1",
      "refresh_interval" : "5s"
    }
  },
  "mappings" : {
    "_default_" : {
      "dynamic_templates" : [
        {
          "message_field" : {
            "path_match" : "message",
            "mapping" : {
              "norms" : false,
              "type" : "text"
            },
            "match_mapping_type" : "string"
          }
        },
        {
          "host_field" : {
            "path_match" : "host",
            "mapping" : {
              "type" : "string",
              "fields" : {
                "raw" : {
                  "ignore_above" : 256,
                  "index" : "not_analyzed",
                  "type" : "string"
                }
              }
            }
          }
        },
        {
          "string_fields" : {
            "mapping" : {
              "norms" : false,
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword"
                }
              }
            },
            "match_mapping_type" : "string",
            "match" : "*"
          }
        }
      ],
      "_all" : {
        "norms" : false,
        "enabled" : true
      },
      "properties" : {
        "@timestamp" : {
          "include_in_all" : false,
          "type" : "date"
        },
        "geoip" : {
          "dynamic" : true,
          "properties" : {
            "ip" : {
              "type" : "ip"
            },
            "latitude" : {
              "type" : "half_float"
            },
            "location" : {
              "type" : "geo_point"
            },
            "longitude" : {
              "type" : "half_float"
            }
          }
        },
        "@version" : {
          "include_in_all" : false,
          "type" : "keyword"
        }
      }
    }
  },
  "aliases" : { }
}

Thanks.


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.