How to turn current string field into non-analyzed?


(zoplex) #1

Is there a way to take string field (that is added with 'add_field' in the mutate section of the logstash filter) and change it into non-analyzed, so it does not break string into words? Either in the logstash filter or on kibana? I don't see setting this in the add_field as an option ...


(Magnus Bäck) #2

This is controlled by the Elasticsearch mappings, defined by the index template. You can make a copy of the index template that Logstash installs for you, make the necessary changes to it, and point Logstash to your copy (or upload it to ES yourself and disable Logstash's index template management).


(zoplex) #3

ok - thank you for direction.


(zoplex) #4

Marcus - I tried creating new template for testing (into new test index) and that worked fine so I can now access .raw field for aggregation in Kibana without being analyzed - but I cannot seem to find the way to list (all) installed templates - and then get them out, modify and update ...

Also I am assuming that if I have index pattern with date stamp - meaning new index gets created every day in this general format: [filebeat-]YYYY.MM.DD (gets created automatically by new data inserts) that I could be able to set the mapping for all upcoming indexes in one command/POST?PUT?

Thanks


(zoplex) #5

Kibana 4.5 on es 2.3


(zoplex) #6

.. I answered the first part - found the command: curl -X GET 'localhost:9200/_all/_mapping?pretty=true' - that works on both 2.3 and 5x-alpha


(Magnus Bäck) #7

Also I am assuming that if I have index pattern with date stamp - meaning new index gets created every day in this general format: [filebeat-]YYYY.MM.DD (gets created automatically by new data inserts) that I could be able to set the mapping for all upcoming indexes in one command/POST?PUT?

Yes, that's the point of index templates. They apply to all new indexes whose name matches the one set in the template.


(system) #8