Hi,
I create a template:
PUT _template/logstash
{
"index_patterns" : [
"logstash-*"
],
"settings" : {
"index" : {
"lifecycle" : {
"name" : "filebeat",
"rollover_alias" : "logstash-rollover-"
},
"mapping" : {
"total_fields" : {
"limit" : "10000"
}
},
"refresh_interval" : "5s",
"number_of_shards" : "1",
"max_docvalue_fields_search" : "200",
"number_of_replicas" : "0"
}
},
"mappings" : {
"properties" : {
"dstgeoip" : {
"properties" : {
"country" : {
"type" : "text",
"fields" : {
"keyword" : {
"ignore_above" : 256,
"type" : "keyword"
}
}
},
"city" : {
"type" : "text",
"fields" : {
"keyword" : {
"ignore_above" : 256,
"type" : "keyword"
}
}
},
"latitude" : {
"type" : "half_float"
},
"location" : {
"type" : "geo_point"
},
"longitude" : {
"type" : "half_float"
}
}
},
"srcgeoip" : {
"properties" : {
"country" : {
"type" : "text",
"fields" : {
"keyword" : {
"ignore_above" : 256,
"type" : "keyword"
}
}
},
"city" : {
"type" : "text",
"fields" : {
"keyword" : {
"ignore_above" : 256,
"type" : "keyword"
}
}
},
"latitude" : {
"type" : "half_float"
},
"location" : {
"type" : "geo_point"
},
"longitude" : {
"type" : "half_float"
}
}
}
}
},
"aliases" : { }
}
then via td-agent I create the index (here the output for the td-agent):
<match syslog-Sierra**> @type elasticsearch suppress_type_name true logstash_format true template_overwrite false
hosts https://yyyy:xxxx@localhost:9200
ssl_verify false
ca_file /etc/kibana/elasticsearch-ca.pem
logstash_prefix logstash-Sierra-
<buffer>
flush_interval 5s # for testing
</buffer>
</match>
}
elastic reports the index created using the template
[2021-09-04T16:40:29,337][INFO ][o.e.c.m.MetadataCreateIndexService] [monitor] [logstash-home--2021.09.04] creating index, cause [auto(bulk api)], templates [logstash], shards [1]/[1]
but the index still has replicas set to one and the data fields are still in the wrong mapping.
Thanks