Help with dynamic mapping

stecino · August 9, 2016, 12:47am

Hello i have following being written to ES

{
              "@timestamp" => "2016-08-09T00:39:10.741Z",
              "input_type" => "log",
                  "offset" => 20870063,
                  "source" => "/usr/local/nginx/access.log",
                    "tags" => [
        [0] "ypu"
    ],
                    "type" => "nginx",
                "@version" => "1",
                   "kafka" => {
              "msg_size" => 1588,
                 "topic" => "logs-ev1",
        "consumer_group" => "logstash",
             "partition" => 11,
                   "key" => nil
    },
              "nginx_host" => "blah.com",
             "remote_addr" => "10.x.x.19",
    "http_x_forwarded_for" => "xx.xx.xx.10",
               "timestamp" => "09/Aug/2016:00:39:10 +0000",
                    "verb" => "POST",
                 "request" => "/blah/test",
             "httpversion" => "1.1",
                "response" => 200,
                   "bytes" => "2",
                "referrer" => "\"http://www.test.com/detroit-mi/mip/test-llc-482631255?sem=tas%3Dbingspot%26acct%3Dautosem%26adgroup%3Dautosem_spotbuy\"",
                   "agent" => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586",
                  "cookie" => "blah",
           "response_time" => 0.064,
                "platform" => "test"
}

I want to setup dynamic template where it will set following fields to not_analyzed

nginx_host
agent
referrer
cookie
http_x_forwarded_for
httpversion
request
remote_addr

depending on a record, I may have fields like http_x_forwarded1 and http_x_forwarded2, i need to be able to set those to not_analyzed as well
and I would like to set response and response_time to number

jpountz · August 9, 2016, 8:29am

You don't need dynamic templates for this, you could use simple mappings? Eg.

{
  "your_type_name": {
    "properties": {
      "nginx_host": {
        "type": "string",
        "index": "not_analyzed"
      },
      ...same for other not_analyzed fields...,
      "response_time": {
        "type": "integer"
      }
    }
  }
}

stecino · August 9, 2016, 5:32pm

The data coming in may change, so fields may go in and out with the newly index. I have a rolling index. This set of fields will be static.

jpountz · August 9, 2016, 8:57pm

If you have rolling indices, then this would be best put in an index template, so that mappings will be automatically added when indices are created.

Topic		Replies	Views
Elasticsearch Dynamic Mapping Question Elasticsearch	2	318	July 6, 2017
Having trouble with dynamic template, not working Elasticsearch	1	335	February 5, 2019
Dynamic mappings using dynamic templates Elasticsearch	2	856	July 5, 2017
[SOLVED] Dynamic template doesn't match any of my field Elasticsearch	2	715	July 10, 2017
Documentation for dynamic template mappings? Elasticsearch	4	580	September 8, 2022

Help with dynamic mapping

Related topics