Hello,
I would like to modify the default Logstash template to create a host.raw
field that is not analyzed (so it can be used in a terms query from Grafana).
I tried the following but it is not working.
Can anyone show me where I'm going wrong?
{
"order" : 0,
"version" : 50005,
"template" : "logstash-*",
"settings" : {
"index" : {
"number_of_shards" : "2",
"number_of_replicas" : "1",
"refresh_interval" : "5s"
}
},
"mappings" : {
"_default_" : {
"dynamic_templates" : [
{
"message_field" : {
"path_match" : "message",
"mapping" : {
"norms" : false,
"type" : "text"
},
"match_mapping_type" : "string"
}
},
{
"host_field" : {
"path_match" : "host",
"mapping" : {
"type" : "string",
"fields" : {
"raw" : {
"ignore_above" : 256,
"index" : "not_analyzed",
"type" : "string"
}
}
}
}
},
{
"string_fields" : {
"mapping" : {
"norms" : false,
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword"
}
}
},
"match_mapping_type" : "string",
"match" : "*"
}
}
],
"_all" : {
"norms" : false,
"enabled" : true
},
"properties" : {
"@timestamp" : {
"include_in_all" : false,
"type" : "date"
},
"geoip" : {
"dynamic" : true,
"properties" : {
"ip" : {
"type" : "ip"
},
"latitude" : {
"type" : "half_float"
},
"location" : {
"type" : "geo_point"
},
"longitude" : {
"type" : "half_float"
}
}
},
"@version" : {
"include_in_all" : false,
"type" : "keyword"
}
}
}
},
"aliases" : { }
}
Thanks.