Elasticsearch how to create index template with raw field

Elastic Stack Elasticsearch
1

Elasticsearch 5.4.0
My logstash will create index by date, I want to create index template,which can auto add raw field not-analyzed. so i can do aggs term by string field. I got some error when create template by kibana dev tools.
DSL text:
put /_template/template_log
{
"template": "logstash-log*",
"mappings": {
"gw-apache": {
"properties": {
"url": {
"type" :"text",
"fileds":{
"raw":{
"type":"text",
"index":"not_analyzed"
}
}
}
}
}
}
}
error output:
{
"error": {
"root_cause": [
{
"type": "mapper_parsing_exception",
"reason": "Mapping definition for [url] has unsupported parameters: [fileds : {raw={index=not_analyzed, type=text}}]"
}
],
"type": "mapper_parsing_exception",
"reason": "Failed to parse mapping [gw_apache]: Mapping definition for [url] has unsupported parameters: [fileds : {raw={index=not_analyzed, type=text}}]",
"caused_by": {
"type": "mapper_parsing_exception",
"reason": "Mapping definition for [url] has unsupported parameters: [fileds : {raw={index=not_analyzed, type=text}}]"
}
},
"status": 400
}

Thanks for your help

2

There are two problems with your index template:

  • A typo: you wrote fileds instead of fields
  • "index":"not_analyzed" for text fields does not exist anymore. It has been replaced by a keyword type.

The following index template should work:

PUT /_template/template_log
{
  "template": "logstash-log*",
  "mappings": {
    "gw-apache": {
      "properties": {
        "url": {
          "type": "text",
          "fields": {
            "raw": {
              "type": "keyword"
            }
          }
        }
      }
    }
  }
}
3

By the way, what you're trying to do with the index template is the default behavior of Elasticsearch since 5.0. By default, any string will be dynamically mapped to type text as well as as a keyword multifield. To access that multifield, use url.keyword instead of url.raw. So, you may not need that index template...

4

Thank you so much.I got it

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.