I am using elasticsearch 5.3,
here is my definition of index template:
PUT /_template/mytemplate
{
"template": "myindex_*",
"order" : 1,
"settings": {
"number_of_shards" : 1,
"number_of_replicas" : 2
},
"mappings" : {
"log" : {
"_all" : {"enabled" : false, "omit_norms" : true},
"_source" : {"enabled" : false },
"properties" : {
"tags" : {
"type" : "keyword"
},
"device_os" : {
"type" : "keyword"
},
...
}
}
}
And I used logstash to inject data to this index...
Here is the index definition in Kibana , you can see for each field, it has 2 different types of fields,
- tags.keyword and device_os.keyword, which are not analysed,
- tags and device_os fields, which are analyzed
How do I avoid generating the analysed fields? I only needs to aggregate them by the who string, and I do not need them to be broken down as token and analysed.
The following is what I want:
It is very strange, that when I was using elasticsearch 5.1, there are no additional analysed fields. When I change to elasticsearch 5.3, using the same template, the problem appears.