Grok - How do I make it so a field is indexed in ES?

E_Marshall · December 26, 2017, 5:44pm

First thing, I do have a Grok configuration file which is working just fine in parsing my log files. I even have it writing to a separate file for any non matches.

My issue is that when looking at the created index for logstash-* it only ever contains the following fields (_id, _index, _score, _source and _type)

How do I add fields to this through the config file?

What I have in my config file, which I thought would do the trick is...

add_field => ["fieldOne", "valueOne",
"fieldTwo", "valueTwo",
"fieldThree", "valueThree",
"fieldFour", "valueFour"
]

What am I doing wrong here?

E_Marshall · December 26, 2017, 7:07pm

Okay, partially figured out some things.
The lead has everything going to a default template in order to force us to learn how to create our own templates. Good thinking
So, the default template has for mapping the dynamic value set to false for creating the indexes I've been trying to get to work all day.
So I'm off to go read up on creating Templates and Mappings.

system · January 23, 2018, 7:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dynamically adding fields with ES field mapping template enabled Logstash	3	1249	July 17, 2017
Adding new fields from a match [solved] Logstash	7	5409	May 10, 2019
Dynamically add keyword field to text field Elasticsearch	2	1536	June 5, 2021
Mapping using Logstash Elasticsearch	4	1153	May 12, 2020
How to add dynamic fields + index with a logstash filter? Elasticsearch	2	1787	February 10, 2017

Grok - How do I make it so a field is indexed in ES?

Related topics