Dear colleagues.
i have Kibana Elasticsearch fluentd.
i import data via syslog (logstash format) and i see all new fields have option analysed On.
But i not need it : top 10 and etc diagram is going by separated words from this fields.
I need to top 10 for full original data in field.
i tried to setup template
PUT /_template/logstash-*
{
"template": "logstash-",
......
"ProbableCause": { "type": "string", "index": "not_analyzed" },
....
but result same .
Could you help me to change analysed to not_analysed for one field or for logstash- index
?
It looks like you are getting an error when you are trying to set a mapping template. Can you provide the full command you are passing to Elasticsearch, and the full error message?
Also note that in Logstash 1.3.1 and above, there is a logstash indexing template provided which adds a .raw field to every field you index, which is mapped as not_analyzed and is the original value as-is. So you might not need to adjust the mappings at all - just use the original field when you want an analyzed string, and the .raw of that field when you want the not_analyzed original value.
1 Like
Thank you! solved. by adding a .raw field to every field you index