Creating Custom Index Template

Elastic Stack Kibana
1

I have a UniFi controller sending syslog data to logstash with custom patterns defined for parsing, and the data flow itself is working. However, the issue I am having is that I have no clue how to get the index definition defined appropriately. I'm working from information found at the following URL:

I believe I just have something small that needs to be tweaked in the following attempted definition, but I haven't found a clear explanation of what it could be:

Attempted Index Creation:

PUT /_index_template/unifisyslog_template?pretty
{
  "unifisyslog" : {
    "order" : 0,
    "index_patterns" : [
      "unifisyslog-*"
    ],
    "settings" : {
      "index" : {
        "number_of_shards" : "1",
        "number_of_replicas" : "1"
      }
    },
    "mappings" : {
      "doc" : {
        "properties" : {
          "ubiquiti.switch" : {
            "type" : "object"
          },
          "source.geo" : {
            "dynamic" : true,
            "properties" : {
              "ip" : {
                "type" : "ip"
              },
              "location" : {
                "type" : "geo_point"
              },
              "latitude" : {
                "type" : "half_float"
              },
              "longitude" : {
                "type" : "half_float"
              }
            }
          },
          "destination.geo" : {
            "dynamic" : true,
            "properties" : {
              "ip" : {
                "type" : "ip"
              },
              "location" : {
                "type" : "geo_point"
              },
              "latitude" : {
                "type" : "half_float"
              },
              "longitude" : {
                "type" : "half_float"
              }
            }
          },
          "source.ip" : {
            "type" : "ip"
          },
          "destination.ip" : {
            "type" : "ip"
          }
        }
      }
    },
    "aliases" : { }
  }
}

I get an error on the "unifisyslog" item at the beginning, but I can't seem to find an example that shows me what would be different (I thought the name being assigned would be the first item?). Any pointers that could help me figure out how to format the request appropriately?

2

These parts are returned when you GET an index, but you need to take those off (and the ending }) before you PUT.

Here is the start of one of my templates to compare:

{
    "order" : 100,
    "index_patterns" : [
      "redacted-*"
    ],
    "settings" : {
      "index" : {
<snip>
3

Going with editing the original I get an error regarding "order" now.

Here's the revised start:

PUT /_index_template/unifisyslog_template?pretty
{
  "order" : 100,
  "index_patterns" : [
    "unifisyslog-*"
  ],
  "settings" : {
    "index" : {
<snip>

I had the same error before shifting everything to the left (just in case it was somehow an issue on spacing).

This is the exact error:

Screen Shot 2021-06-23 at 6.20.54 PM
Screen Shot 2021-06-23 at 6.20.54 PM1472×596 55.3 KB

(apologies for the screenshot instead of copying the text, but for some reason it would not copy/paste out of the response side of the window)

4

There were a couple of errors in the Index, the mapping and settings must be in the template body, and some other elements were misplaced too, take a look at: Create or update index template API | Elasticsearch Guide [7.13] | Elastic if you want to find them in detail, but, there you go:

PUT /_index_template/unifisyslog_template
{
  "index_patterns": [
    "unifisyslog-*"
  ],
  "template": {
    "settings": {
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "1"
      }
    },
    "mappings": {
        "properties": {
          "ubiquiti.switch": {
            "type": "object"
          },
          "source.geo": {
            "dynamic": true,
            "properties": {
              "ip": {
                "type": "ip"
              },
              "location": {
                "type": "geo_point"
              },
              "latitude": {
                "type": "half_float"
              },
              "longitude": {
                "type": "half_float"
              }
            }
          },
          "destination.geo": {
            "dynamic": true,
            "properties": {
              "ip": {
                "type": "ip"
              },
              "location": {
                "type": "geo_point"
              },
              "latitude": {
                "type": "half_float"
              },
              "longitude": {
                "type": "half_float"
              }
            }
          },
          "source.ip": {
            "type": "ip"
          },
          "destination.ip": {
            "type": "ip"
          }
        }
    },
    "aliases": {}
  }
}
1 Like
5

That worked. Thank you very much. Having an example to use to go through the documentation makes it a lot easier for me to grasp!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.