Hi, reading the documentation about index templates, I have some doubts on which should be the best practice to define a new template.
My particular situation is very simple, I would like to:
- Define only one template (for Logstash)
- Restrict Elasticsearch to use only 2 shards and 1 replicas
- Add some field mappings directly on the template, if needed
So far I've used the default template generated by Logstash:
{"logstash":{"order":0,"template":"logstash-*","settings":{"index":{"refresh_interval":"5s"}},"mappings":{"_default_":{"dynamic_templates":[{"message_field":{"mapping":{"fielddata":{"format":"disabled"},"index":"analyzed","omit_norms":true,"type":"string"},"match_mapping_type":"string","match":"message"}},{"string_fields":{"mapping":{"fielddata":{"format":"disabled"},"index":"analyzed","omit_norms":true,"type":"string","fields":{"raw":{"ignore_above":256,"index":"not_analyzed","type":"string"}}},"match_mapping_type":"string","match":"*"}}],"_all":{"omit_norms":true,"enabled":true},"properties":{"@timestamp":{"type":"date"},"geoip":{"dynamic":true,"properties":{"ip":{"type":"ip"},"latitude":{"type":"float"},"location":{"type":"geo_point"},"longitude":{"type":"float"}}},"@version":{"index":"not_analyzed","type":"string"}}}},"aliases":{}}}
Should I keep this template and simply add:
PUT _template/logstash
{
"template": "logstash",
"settings": {
"number_of_shards": 2,
"number_of_replicas": 1
}
}
For the mappings, which is the best option:
- Adding them into the index template (like shown above)
- Adding them per index using a
PUT my_indexas shown here - Leaving Logstash assign the correct mapping provided that its configuration contains them
Also, as an alternative to the REST API, which is the proper way to assign an index template to Elasticsearch at startup time?
Thank you