Hi,
i'm working on a new template for my syslog messages. Here's my template:
PUT _template/syslog
{
"template": "syslog*",
"settings": {
"analysis": {
"analyzer": {
"only_lowercase": {
"type": "custom",
"tokenizer": "keyword",
"filter": [
"lowercase"
]
}
}
}
},
"mappings": {
"_default_": {
"properties": {
"syslog_pid": {
"type": "integer",
"index": "not_analyzed"
},
"syslog_program": {
"type": "string",
"index": "not_analyzed",
"analyzer": "only_lowercase"
},
"syslog_hostname": {
"type": "string",
"analyzer": "only_lowercase"
},
"syslog_message": {
"type": "string",
"analyzer": "only_lowercase"
},
"received_from": {
"type": "ip"
},
"host": {
"type": "ip"
}
}
}
}
}
I want to lowercase incomming syslog_hostname, but it's not working. But, if i'm testing with
curl 'http://localhost:9200/syslog-2015.07.06/_analyze?analyzer=only_lowercase' -d "Hostname"
"Hostname" will be lowercase. So what is going wrong ?
Michael