I resolved a previous issue where I wanted to update a field that was marked analyzed to mark all fields going to a specific named index to be marked as not_analyzed. I would like to do a similar thing but on an index that is ingesting multiple types of data. The person who set this up named the sources by the _type field and since i am responsible for one of those types, I need to ensure the visuals created show the correct fields. These are not being indexed and do not appear so is there a way to create a template to update specific indices but only that _type (source) to include all fields to be indexed.
For example if index [logstash]-yyyy.mm.dd has 4 different types : _A, _B, _C , _D, can a template be created to index all fields related to type _D. They do not want to alter the /conf file to update this and suggested I use the correct queries but how must I do this if the fields are not indexed.
Any help appreciated. I included the following which I know is wrong but this is a template to only correct indices with the name logstash* but I need to update only the _type. Is that possible?
PUT /_template/fattemplate_1
{
"template" : "logstash*",
"settings" : {
"index.refresh_interval" : "5s"
},
"mappings" : {
"_default_" : {
"_all" : {"enabled" : true},
"dynamic_templates" : [ {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string", "index" : "not_analyzed", "omit_norms" : true
}
}
} ],
"properties" : {
"@version": { "type": "string", "index": "not_analyzed" },
"geoip" : {
"type" : "object",
"dynamic": true,
"path": "full",
"properties" : {
"location" : { "type" : "geo_point" }
}
}
}
}
}
}