Create template dynamic index and multi mamping

nurhambali · February 19, 2019, 11:23am

hi all,

i have a problem when be create dynamic index and dynamic mappings :

this is my _templates

PUT _template/huawei
{
  "index_patterns": "huawei-*",
  "settings": {
    "index.refresh_interval": "5s",
    "number_of_shards": 1
  },
    "mappings" : {
      "attack" : {
        "properties":{
          "@timestamp":{"type":"date"},
          "hostname":{"type":"keyword"},
          "type":{"type":"keyword"},
          "host":{"type":"keyword"},
        },
        }

      },
      "ips" : {
        "properties":{
         "@timestamp":{"type":"date"},
         "hostname":{"type":"keyword"},
         "host":{"type":"keyword"},
         "action":{"type":"keyword"},
         "program":{"type":"keyword"}
        }
      },
      "ids" : {
        "properties":{
         "@timestamp":{"type":"date"},
         "hostname":{"type":"keyword"},
         "host":{"type":"keyword"},
         "action":{"type":"keyword"},
         "program":{"type":"keyword"},
                }
      },
      "vpn" : {
        "properties":{
          "@timestamp":{"type":"date"},
          "hostname":{"type":"keyword"},
          "type":{"type":"keyword"},
          "host":{"type":"keyword"},
          "program":{"type":"keyword"}
        }
      }
   }
}

what is missing form my configuration ?

thanks,
hambali

Christian_Dahlqvist · February 19, 2019, 11:33am

Which version of Elasticsearch are you using? From version 6.0 onwards there can only be one document type per index.

nurhambali · February 19, 2019, 11:39am

i'm using Elsaticsearch version 6.5 is there a solution for the dynamic index?

please give me example dynamic index ?

thanks,
hambali

Christian_Dahlqvist · February 19, 2019, 11:41am

You can not have multiple document types in your mapping. What is it you are trying to achieve?

Why not add a new field that stores the type of document and use the default document type _doc for all documents?

PUT _template/huawei
{
  "index_patterns": "huawei-*",
  "settings": {
    "index.refresh_interval": "5s",
    "number_of_shards": 1
  },
  "mappings" : {
    "_doc" : {
      "properties":{
        "@timestamp":{"type":"date"},
        "hostname":{"type":"keyword"},
        "type":{"type":"keyword"},
        "host":{"type":"keyword"},
        "action":{"type":"keyword"},
        "program":{"type":"keyword"}
      }
    }
  }
}

nurhambali · February 19, 2019, 11:45am

how do I separate the different data apart from the document mapping, will the different fields of data separate the data?

Christian_Dahlqvist · February 19, 2019, 11:47am

You have a field named type. Why not use that? If that is for something else just add another field.

nurhambali · February 19, 2019, 11:49am

thank you for the advice I will immediately try it

thanks,
hambali

system · March 19, 2019, 11:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.