Fields Mapping | not_analyzed

Hi Friends,

I'm starting using the ELK Stack to create a sort of Log Archiving and Log Analyses tool to my team.

I have some firewalls and need change some fields to not_analyzed.

I don't know why, but when I load Kibana, all my fields seems as Analyzed. What is the right manner to apply fields mapping templates?

Thanks in advance for the help.

Here is my conf of Logstash:

.... output { if [type] == "netscreen_traffic" { elasticsearch { hosts => ["localhost:9200"] index => "firewall-traffic-%{+YYYY.MM.DD}" manage_template => false template_overwrite => true template_name => "firewall-traffic" #template => "/etc/logstash/templates/firewall-traffic.json" } }

Here is my mapping json:

{ "template" : "firewall-traffic", "mappings": { "netscreen_traffic": { "action": { "type": "string" }, "device": { "type": "string", "index": "not_analyzed" }, "device_id": { "type": "string", "index": "not_analyzed" }, "dst_ip": { "type": "ip" }, "dst_port": { "type": "string" }, "dst_xlated_ip": { "type": "ip" }, "dst_xlated_port": { "type": "string" }, "dst_zone": { "type": "string", "index": "not_analyzed" }, "duration": { "type": "string" }, "host": { "type": "string", "index": "not_analyzed" }, "message": { "type": "string" }, "policy_id": { "type": "string" }, "priority": { "type": "string" }, "proto": { "type": "string" }, "rcvd": { "type": "integer" }, "reason": { "type": "string", "index": "not_analyzed" }, "sent": { "type": "integer" }, "service": { "type": "string" }, "session_id": { "type": "string" }, "src_ip": { "type": "ip" }, "src_port": { "type": "string" }, "src_xlated_ip": { "type": "ip" }, "src_xlated_port": { "type": "string" }, "src_zone": { "type": "string", "index": "not_analyzed" }, "start_time": { "type": "date" }, "syslog5424_pri": { "type": "string" }, "tags": { "type": "string" }, "type": { "type": "string" } } } }

Which fields are you trying to set as not analysed?

Hi @warkolm, thanks for you awnser, these are the fields what I need don't be analyzed.

These fileds are defined in a custom pattern file, by grok filter.

Ok, just making sure

Have you refreshed the index pattern in KB settings?
Has the template been properly applied to the index it is creating?

HI @warkolm,

I wrote everything from scratch. I get the default template to compare with mine and now I have generated this bellow.

I wasn't use properly the Properties before.

Now I rewrite, submit and applied with success the template to ElasticSearch .

Thanks in advance for you help and sorry my badly english.

{ "template": "firewall-cleanup-*", "settings": { "index.refresh_interval": "10s" }, "mappings": { "netscreen_traffic": { "properties": { "@timestamp": { "type": "date", "format": "strict_date_optional_time||epoch_millis" }, "@version": { "type": "string" }, "action": { "type": "string" }, "device": { "type": "string", "index": "not_analyzed" }, "device_id": { "type": "string", "index": "not_analyzed" }, "dst_ip": { "type": "ip" }, "dst_port": { "type": "string" }, "dst_xlated_ip": { "type": "ip" }, "dst_xlated_port": { "type": "string" }, "dst_zone": { "type": "string", "index": "not_analyzed" }, "duration": { "type": "string" }, "host": { "type": "string", "index": "not_analyzed" }, "message": { "type": "string" }, "policy_id": { "type": "string" }, "priority": { "type": "string" }, "proto": { "type": "string" }, "rcvd": { "type": "string" }, "reason": { "type": "string", "index": "not_analyzed" }, "sent": { "type": "string" }, "service": { "type": "string" }, "session_id": { "type": "string" }, "src_ip": { "type": "ip" }, "src_port": { "type": "string" }, "src_xlated_ip": { "type": "ip" }, "src_xlated_port": { "type": "string" }, "src_zone": { "type": "string", "index": "not_analyzed" }, "start_time": { "type": "string" }, "syslog5424_pri": { "type": "string" }, "tags": { "type": "string" }, "type": { "type": "string" } } } } }

And do the _types of the documents you are indexing match the index?

Hi @warkolm,

Thank you for you assistance. Now Its working well.

Now my challenge is match other firewall model, based in JUNOS OS. I´ll open new topic to keep clean.