How can I updated the a sub-field within an index to be not_analyzed?

kpam · October 25, 2016, 9:54pm

I have an index with a sub-filed that I want to set to be not analyzed? How can I change this?

Additionally, this indexes are patterned for the day using Filebeat -- is there a way to ensure when new indices are created by Filebeat, the same not analyzed configuration takes place?

Here is my index myrecords-YYYY-MM-DD:

{
	"myrecords-2016.10.25": {
		"aliases": {},
		"mappings": {
			"log": {
				"properties": {
					"@timestamp": {
					"type": "date",
						"format": "dateOptionalTime"
					},
					"user_info": {
						"properties": {
							"channel": {
								"type": "string"
							},
							"channel_params": {
								"properties": {
									"b_length": {
										"type": "long"
									},
									"current_view": {
										"type": "string"
									},
									"m_status": {
										"type": "boolean"
									},
									"is_official": {
										"type": "boolean"
									}
								}
							},
							"viewer": {
								"properties": {
									"platform": {
										"type": "string"
									},
									"player": {
										"type": "string"
									}
								}
							}
						}
					},
					"response": {
						"type": "string"
					}
				}
			}
		},
		"settings": {
			"index": {
				"creation_date": "1477353651509",
				"number_of_shards": "5",
				"number_of_replicas": "1",
				"version": {
					"created": "1050299"
				},
				"uuid": "OmI6yE8CQJS-wqVIfHsbig"
			}
		},
		"warmers": {}
	}
}

I want to change current_view to be not_analyzed and I want the change to take place for every new index created by filebeat when shipping logs to ES.

spalger · October 25, 2016, 10:53pm

You're looking for index templates.

https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html

Index templates are configurations that you save in elasticsearch that get applied whenever a new index is created, as long as the index name matches the templates

Your index template should probably looks something like this:

{
  "template": "myrecords-*",
  "mappings": {
    "log": {
      "properties": {
        "@timestamp": {
          "type": "date",
          "format": "dateOptionalTime"
        },
        "myfield": {
          "type": "string",
          "fields": {
            "raw": { 
              "type":  "string",
              "index": "not_analyzed"
            }
          }
        }
      }
    }
  }
}

kpam · October 26, 2016, 12:03am

Thanks @spalger -- will this work with the particular field I want since it's quite nested?

I want to change the current_view field which is nested within channel_params which is nested in user_info.

spalger · October 27, 2016, 4:11pm

Sure will!

Topic		Replies	Views
How to turn current string field into non-analyzed? Kibana	7	1090	July 6, 2017
Changing beat.hostname to not_analyzed Kibana	4	1364	July 6, 2017
Visualize not_analyzed sub field Kibana	3	705	March 27, 2017
Query analyzed field Kibana	3	1385	July 6, 2017
Field set as not analyzed but kibana shows it as analyzed Elasticsearch	5	2356	July 5, 2017

How can I updated the a sub-field within an index to be not_analyzed?

Related topics