Hi @Andrew_G
I am seeing some strange behaviour. It seems like the template is being ignored.
I will step through what I have done. (I am testing only with Winlogbeat to make it easier)
DELETE /_template/winlogbeat-*
DELETE /winlogbeat-*
GET _template/winlogbeat-7.9.2/
{}
GET /winlogbeat-*
{}
Everything cleared out
Run setup to create the template
GET _template/winlogbeat-7.9.2/
...
"event" : {
"properties" : {
"severity" : {
"type" : "long"
},
"code" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"original" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"risk_score" : {
"type" : "float"
},
"timezone" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"created" : {
"type" : "date"
},
"kind" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"module" : {
"ignore_above" : 1024,
"type" : "keyword"
},
...
As we can see it created the template with event.module as a keyword.
Index is still empty at this point.
GET /winlogbeat-*/_mapping/field/event.module
{ }
Ingest some data ...
{
"winlogbeat-7.9.2" : {
"mappings" : {
"event.module" : {
"full_name" : "event.module",
"mapping" : {
"module" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
}
}
}
Problem is still there.
In short the template is correct but the index is created with the incorrect field type.
Any ideas? Thanks again I really appreciate all the help.
Cheers!