Dynamic Template not working after upgrading to Elasticsearch 2.3.1

sharon.c · April 26, 2016, 8:02pm

I just upgraded the elasticsearch from 2.0 to 2.3.1
It is strange that the templates I used to use were working in 2.0, but not working in 2.3.1
The same logstash instance I was using to inject the same docs, but the docs are using the template I defined.

This is my template definition

curl -XPUT 'http://staging-elkstack:9200/_template/elkstats_template' -d '
{
"order" : 2,
"template": "template_test*",
"settings": {
"number_of_shards" : 8,
"number_of_replicas" : 0
},
"mappings" : {
"log" : {
"_all" : {"enabled" : false, "omit_norms" : true},
"dynamic_templates" : [ {
"message_field" : {
"match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string", "index" : "not_analyzed", "omit_norms" : true
}
}
}, {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string", "index" : "not_analyzed", "omit_norms" : true
}
}
}
],
"properties" : {
"@timestamp": { "type": "date", "doc_values" : true },
"@version": { "type": "string", "index": "not_analyzed", "doc_values" : true },
"geopoint": {
"type": "geo_point"
}
}
}
}
}
'

This is my logstash .conf file output part

input{stdin{}}
filter {
json { source => "message" }
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => "staging-elkstack:9200"
index => "template_test"
template_name => "elkstats_template"
}
}

To test the logstash conf, you can use this input

{ "longitude":-73.758, "latitude":41.0291}

sharon.c · April 27, 2016, 5:05pm

My problem is that in the the dynamic_templates , I set all the strings ("match" : "*") should not be analysed. But in reality, the string field like host field is still analysed. As you can see in the picture below: host, tag, and message should not be analysed. But in reality they are analyzed

sharon.c · April 27, 2016, 9:51pm

When I used the previous versions, they are all fine, but after I upgraded to 2.3, logstash does not pick up the dynamic_templates.

sharon.c · April 27, 2016, 11:14pm

My question is: can you give me a simple example to define a dynamic template, for all the string fields, make them not analysed?

anhlqn · April 29, 2016, 4:20pm

Could you do an XGET to make sure the template is in ES?

Shouldn't it be "_all"?

Below is my working dynamic template on ES 2.3.0 and Logstash 2.3.0

"dynamic_templates": [
        {
          "string_fields": {
            "mapping": {
              "index": "not_analyzed",
              "omit_norms": true,
              "type": "string"
            },
            "match_mapping_type": "string",
            "match": "*"
          }
        }
      ],

sharon.c · April 29, 2016, 6:59pm

I was using "_all", Not sure how come the underline is not showing in this page. Thank you, I will try your template format.