Forcing only a particular template on index?

Elastic Stack Elasticsearch
1

Hello elasticsearch community,

I've encountered a particular annoying issue. I have a particular template that I want to force onto my index logstash-transaction-*.

And there exists another template called logstash-* that keeps overwriting my template and causing a mixing field type error in my index.

I have to keep on deleting logstash-* because I do not know who manages this template. Or is this some kind of default logstash template? Is there a force for elasticsearch to match the closest naming template or prioritize a template name over another?

2

You can specify the order in which the templates are applied. Update the template you do not want to override to have a higher order number than your more specialised template should solve it.

3

So if they're both order = 0 (which is random?), if I put order = 1 on the undesired template. It has below priority? This template is refreshed by some job every day, it would overwrite what I set for it (I do not have control on this undesired template). Are there alternatives?

4

I think it is uploaded by Logstash, but am not sure if it uploads if the template is already present.

5 
{
  "logstash-summary": {
    "order": 1,
    "template": "logstash-summary-*",
    "settings": {
      "index": {
        "refresh_interval": "5s"
      }
    },
    "mappings": {
      "logs": {
        "_all": {
          "enabled": true,
          "omit_norms": true
        },
        "dynamic_templates": [
          {
            "message_field": {
              "match": "message",
              "match_mapping_type": "string",
              "mapping": {
                "type": "string",
                "index": "analyzed",
                "omit_norms": true
              }
            }
          },
          {
            "string_fields": {
              "match": "*",
              "match_mapping_type": "string",
              "mapping": {
                "type": "string",
                "index": "not_analyzed",
                "ignore_above": 256
              }
            }
          }
        ],
        "properties": {
          "orderID": {
            "type": "keyword"
          }
        }
      }
    },
    "aliases": {}
  },
  "logstash": {
    "order": 0,
    "version": 50001,
    "template": "logstash-*",
    "settings": {
      "index": {
        "refresh_interval": "5s"
      }
    },
    "mappings": {
      "_default_": {
        "_all": {
          "enabled": true,
          "norms": false
        },
        "dynamic_templates": [
          {
            "message_field": {
              "path_match": "message",
              "match_mapping_type": "string",
              "mapping": {
                "type": "text",
                "norms": false
              }
            }
          },
          {
            "string_fields": {
              "match": "*",
              "match_mapping_type": "string",
              "mapping": {
                "type": "text",
                "norms": false,
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              }
            }
          }
        ],
        "properties": {
          "@timestamp": {
            "type": "date",
            "include_in_all": false
          },
          "@version": {
            "type": "keyword",
            "include_in_all": false
          },
          "geoip": {
            "dynamic": true,
            "properties": {
              "ip": {
                "type": "ip"
              },
              "location": {
                "type": "geo_point"
              },
              "latitude": {
                "type": "half_float"
              },
              "longitude": {
                "type": "half_float"
              }
            }
          }
        }
      }
    },
    "aliases": {}
  }
}

This is my new template list from GET template on elastic... My parsing still get Mixing up field types. This is correct, no?

Also have template_overwrite => true and it is still not overwriting

Found out under my output-elasticsearch.conf... I must set manage_template => false

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.