Hello,
I have few interrogations about dynamic template in elasticsearch.
I don't need analyze text. (I believe i don't need analyze numeric field too ?).
Here my currently template, for the moment it's not analyze just keywords fields :
{
"order": 0,
"version": 50001,
"template": "edr-*",
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "-1"
}
},
"mappings": {
"_default_": {
"dynamic_templates": [
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"index": "not_analyzed",
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"_all": {
"norms": false,
"enabled": true
},
"properties": {
"edr_GrantedTotalOctets": {
"type": "long"
},
"edr_MSN": {
"type": "long"
},
"edr_Useets": {
"type": "long"
},
"geoip": {
"enabled": false
},
"edr_MionFlag": {
"type": "byte"
},
"input_type": {
"enabled": false
},
"edr_Usamit": {
"type": "long"
},
"edr_Janomer": {
"type": "byte"
},
"@timestamp": {
"include_in_all": false,
"type": "date"
},
"edr_Subscrid": {
"type": "long"
},
"beat": {
"enabled": false
},
"@version": {
"include_in_all": false,
"type": "keyword"
},
"name": {
"enabled": false
},
"host": {
"enabled": false
},
"edr_MastDN": {
"index": "not_analyzed",
"type": "long"
},
"edr_ParolFlag": {
"type": "byte"
},
"edr_NC": {
"type": "integer"
},
"edr_II": {
"type": "long"
}
}
}
},
"aliases": {}
In elasticsearch deprecated logs, i have error messages about deprecated string fields. How to resolve it ?
In my index pattern page, i have .keyword not analyze (ok), but not mains fields (exemple : edr_CCRT : analyzed ; edr_CCRT : not analyze).
I think it's better to put "not_analyze" to all field (string, text, numeric) no ? But how 
