Issue in getting raw fields

I have created template as below.

"dynamic_templates": [
{
"disk_space3": {
"match_mapping_type": "string",
"match": "*",
"mapping": {
"type": "string",
"fields": {
"raw": {
"type": "string",
"index": "not_analyzed",
"ignore_above": 256
}
}
}
}
}
]

And output is as below:

output {
elasticsearch {
action => "index"
hosts => "localhost:9200"
index => "%{type}"
workers => 1
manage_template => false
template => "/installdir/ELK/logstash-2.2.0/template/b_analyzed.json"
template_name => disk_space3
}
stdout {
codec => json
}
}

But is is still analyzing the field. Can you help.

To be clear, your fields will still be analyzed. However elasticsearch will create sub fields that are NOT analyzed and can be used for sorting or aggregations. For instance if one of your string fields is "foo", then you will have a "foo.raw" field that is not analyzed.

This is what I am looking for. but I am not getting any field with .raw Am I missing anything here?

Templates only apply to fields that are not defined in the mappings yet. Maybe this explains why you don't see any new fields being created?

I have all the new fields
if [type] == "disk_space" {
  grok {

    match => [ "message", "%{DATESTAMP:date} %{NUMBER:used:int} %{GREEDYDATA:disk_part}" ]

  }
}

even it is showing as analyzed. not sure where I am making mistake

Could you delete the index and try again? I suspect the source of the problem is that you are indexing into an existing index, so dynamic templates won't be applied.

are my template and output good? I tried to reindex and also with different index but no luck.
Do I need to load the template in elasticsearch. Is it possible

index => "%{type}"

Does your template apply to indexes with this name? Logstash's default template only applies to logstash-* indexes, for example.

@magnusbaeck I was trying to create the same. Is it possible. I was making another template.

As of now my testing is blocked due to Redundancy in logging "Flushing buffer at interval"