So I've made an index template to set up mappings for some nginx access logs I've put in Elasticsearch with Filebeat & Logstash. Because I have various nginx access log formats I set for each format a different document_type with Filebeat & according to that I use different grok patterns to extract fields from the logs. So on Elasticsearch logs arrive with type nginx_access_main or nginx_access_api. In the index template mapping though I've used an arbitrary nginx_access type.
I'm trying to understand why that works. Is it because it's a substring of the actual types or is it because fields are shared across mapping types? If it's the latter what's the point of using the type in the mapping since no matter what it'll work for all types?
I'm also trying to actually change the document type with Logstash but by mutate replacing type I only update the type field whereas the _type field remains the same. Is there any way to change that? In this year old discussion it seems mutating type had worked for them.
Thanks