Grok - How do I make it so a field is indexed in ES?

E_Marshall · December 26, 2017, 5:44pm

First thing, I do have a Grok configuration file which is working just fine in parsing my log files. I even have it writing to a separate file for any non matches.

My issue is that when looking at the created index for logstash-* it only ever contains the following fields (_id, _index, _score, _source and _type)

How do I add fields to this through the config file?

What I have in my config file, which I thought would do the trick is...

add_field => ["fieldOne", "valueOne",
"fieldTwo", "valueTwo",
"fieldThree", "valueThree",
"fieldFour", "valueFour"
]

What am I doing wrong here?

E_Marshall · December 26, 2017, 7:07pm

Okay, partially figured out some things.
The lead has everything going to a default template in order to force us to learn how to create our own templates. Good thinking
So, the default template has for mapping the dynamic value set to false for creating the indexes I've been trying to get to work all day.
So I'm off to go read up on creating Templates and Mappings.

system · January 23, 2018, 7:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.