Elasticsearch 5.3, how to make keyword type not analyzed

Elastic Stack Elasticsearch
1

I am using elasticsearch 5.3,

here is my definition of index template:

 PUT /_template/mytemplate
 {

    "template": "myindex_*",
    "order" : 1,
     "settings": {
         "number_of_shards" :   1,  
         "number_of_replicas" : 2
     },

    "mappings" : {
     "log" : {
     "_all" : {"enabled" : false, "omit_norms" : true},
     "_source" : {"enabled" : false },
       "properties" : { 
         "tags"  : {
             "type" : "keyword"
         },
           "device_os"  : {
             "type" : "keyword"
         },
...
   }
  }
 }

And I used logstash to inject data to this index...

Here is the index definition in Kibana , you can see for each field, it has 2 different types of fields,

  1. tags.keyword and device_os.keyword, which are not analysed,
  2. tags and device_os fields, which are analyzed

image

How do I avoid generating the analysed fields? I only needs to aggregate them by the who string, and I do not need them to be broken down as token and analysed.
The following is what I want:
image

It is very strange, that when I was using elasticsearch 5.1, there are no additional analysed fields. When I change to elasticsearch 5.3, using the same template, the problem appears.

2

The only explanation I have is that the template was not actually applied.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.