And on the heels of my last post about this, elasticsearch has again swapped where the data goes. Previously data from logstash would go to the service field. After a few days however, data starts going to the service.keyword field (by design apparently). Now, after stopping the service, upgrading the OS as shown below:
Install: linux-headers-4.4.0-47:amd64 (4.4.0-47.68, automatic), linux-image-4.4.0-47-generic:amd64 (4.4.0-47.68, automatic), linux-image-extra-4.4.0-47-generic:amd64 (4.4.0-47.68, automatic), linux-headers-4.4.0-47-generic:amd64 (4.4.0-47.68, automatic)
Upgrade: libmpx0:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), libgcc-5-dev:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), linux-headers-generic:amd64 (4.4.0.45.48, 4.4.0.47.50), linux-libc-dev:amd64 (4.4.0-45.66, 4.4.0-47.68), linux-image-generic:amd64 (4.4.0.45.48, 4.4.0.47.50), cpp-5:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), libitm1:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), linux-headers-generic-lts-vivid:amd64 (4.4.0.45.48, 4.4.0.47.50), libcilkrts5:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), libasan2:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), libquadmath0:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), gcc-5-base:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), libstdc++-5-dev:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), libtsan0:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), libubsan0:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), g++-5:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), gcc-5:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), liblsan0:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), libgomp1:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), linux-generic-lts-vivid:amd64 (4.4.0.45.48, 4.4.0.47.50), libatomic1:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), accountsservice:amd64 (0.6.40-2ubuntu11.2, 0.6.40-2ubuntu11.3), libcc1-0:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), libstdc++6:amd64 (5.4.0-6ubuntu1~16.04.2, 5.4.0-6ubuntu1~16.04.4), linux-generic:amd64 (4.4.0.45.48, 4.4.0.47.50), libaccountsservice0:amd64 (0.6.40-2ubuntu11.2, 0.6.40-2ubuntu11.3)
things went fine until at 17:00 on the dot data stopped going to the service.keyword field:
Secondly, now all the data went back to going to the service field:
And lastly, now, even though I have a template that says not to analyze strings, my service field is now being analyzed:
Can anyone shed any light on this behavior before I open a bug on this? Thank you.