Help with dynamic mapping

stecino · August 9, 2016, 12:47am

Hello i have following being written to ES

{
              "@timestamp" => "2016-08-09T00:39:10.741Z",
              "input_type" => "log",
                  "offset" => 20870063,
                  "source" => "/usr/local/nginx/access.log",
                    "tags" => [
        [0] "ypu"
    ],
                    "type" => "nginx",
                "@version" => "1",
                   "kafka" => {
              "msg_size" => 1588,
                 "topic" => "logs-ev1",
        "consumer_group" => "logstash",
             "partition" => 11,
                   "key" => nil
    },
              "nginx_host" => "blah.com",
             "remote_addr" => "10.x.x.19",
    "http_x_forwarded_for" => "xx.xx.xx.10",
               "timestamp" => "09/Aug/2016:00:39:10 +0000",
                    "verb" => "POST",
                 "request" => "/blah/test",
             "httpversion" => "1.1",
                "response" => 200,
                   "bytes" => "2",
                "referrer" => "\"http://www.test.com/detroit-mi/mip/test-llc-482631255?sem=tas%3Dbingspot%26acct%3Dautosem%26adgroup%3Dautosem_spotbuy\"",
                   "agent" => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586",
                  "cookie" => "blah",
           "response_time" => 0.064,
                "platform" => "test"
}

I want to setup dynamic template where it will set following fields to not_analyzed

nginx_host
agent
referrer
cookie
http_x_forwarded_for
httpversion
request
remote_addr

depending on a record, I may have fields like http_x_forwarded1 and http_x_forwarded2, i need to be able to set those to not_analyzed as well
and I would like to set response and response_time to number

jpountz · August 9, 2016, 8:29am

You don't need dynamic templates for this, you could use simple mappings? Eg.

{
  "your_type_name": {
    "properties": {
      "nginx_host": {
        "type": "string",
        "index": "not_analyzed"
      },
      ...same for other not_analyzed fields...,
      "response_time": {
        "type": "integer"
      }
    }
  }
}

stecino · August 9, 2016, 5:32pm

The data coming in may change, so fields may go in and out with the newly index. I have a rolling index. This set of fields will be static.

jpountz · August 9, 2016, 8:57pm

If you have rolling indices, then this would be best put in an index template, so that mappings will be automatically added when indices are created.