Elasticsearch Not_analyzed and analyzed

Hello For certain requirement i have made all the index not_analyzed

{
"template": "*",
"mappings": {
"default": {
"dynamic_templates": [
{
"my_template": {
"match_mapping_type": "string",
"mapping": {
"index": "not_analyzed"
}
}
}
]
}
}
}
But now as per our requirement i have to make certain field as analyzed . and keep rest of the field as not analyzed

If you explicitly change a specific field's configuration in the mapping,
it will override any settings you defined in the template. Keep your
mapping as is, and simply add the field in your mapping as analyzed.

Ok .. I am new to elasticsearch and understanding how mapping and templates work .. But for my case i have made everything as not_analyzed but now for one of the field i have to make it as analyzed and also at same time not_analyzed .. Now as per your suggestion can i do without changing the current template . How can i do it???? It would be of great help if you can you help me with a example .

I think there is no option to change mapping for a few fields. You just need to overwrite the current mapping template with a new one having the fields you need changed to analyzed. But changing this only affect new indexes/documents, so I think what you need to do is to

  1. Change your index template
  2. Reindex your data

One more thing to add if i rewrite my template , I have nested fields too , I get error for nested data in document .. Now in this case i need mapping where all i want few fields as not_analyzed and analyzed at same time while rest of the field should be not_analyzed . I am facing this issue because of type of data i am having where the new fields could be added from application at any time so the data we need for new field should be not_analyzed whereas to make search case insensitive i want to keep both as analyzed and not analyzed for few fields . I hope this gives some insight about the dilemma i am facing

It looks like you need to combine dynamic mappings to set all string fields to not_analyzing (for all newly created fields) and mappings for those fields need to be analyzed. Please look at part of my netflow template

PUT _template/netflow
{
  "template": "netflow*",
  "settings": {
    "index.refresh_interval": "5s"
  },
  "mappings": {
    "_default_": {
      "_all": {
        "enabled": true,
        "omit_norms": true
      },
      "dynamic_templates": [
        {
          "message_field": {
            "match": "message",
            "match_mapping_type": "string",
            "mapping": {
              "type": "string",
              "index": "analyzed",
              "omit_norms": true
            }
          }
        },
        {
          "string_fields": {
            "match": "*",
            "match_mapping_type": "string",
            "mapping": {
              "type": "string",
              "index": "not_analyzed",
              "omit_norms": true
            }
          }
        }
      ],
      "properties": {
        "@version": {
          "type": "string",
          "index": "not_analyzed"
        },
        "host": {
          "type": "ip"
        },
        "IPV4_SRC_ADDR": {
          "type": "ip"
        },
        "IPV4_DST_ADDR": {
          "type": "ip"
        },
        "IN_SRC_MAC": {
          "type": "string",
          "index": "not_analyzed"
        },
        "your_analyzed_fields_go_here": {
          "type": "string",
          "index": "analyzed"

Inside "properties": { } is where you put all the analyzed fields. Fields that are not in here will use the dynamic mapping.