Logstash conf file with not_analyzed field

chenbe2204 · June 6, 2016, 6:29am

Hi ,

I want to load my Json file to the Elasticsearch and add i need that one of the fields will be not_analyzed
This is my conf file:
input {
file{
path => ["/root/scripts/vdm-server_10-4_parasoft_103.json"]
type => "json"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}

filter{
json {
source => "message"
}
}

filter{
date {
match => ["create_time", "MM/dd/yyyy"]
target => "@timestamp"
}
}

output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => localhost
index => index_tmp1
}
}

example for a line from the json file:
{"project":"server" ,"branch":"10" ,"type":"Flow" ,"build_number":103 ,"severity":"Severity 1 = Highest" ,"line":804 ,"tool":"c++test" ,"pkg":"" ,"msg":"prior to initialization" ,"locfile":"/build_scripts/external/minizip/src333/zip.c" ,"rule":"BD-1" ,"auth":"hudson" ,"create_time":"06/05/2016" }

The field I need as not analyzed is "severity".

Thanks
Chen

warkolm · June 6, 2016, 7:00am

You need to do that in ES via a mapping or a template, see https://www.elastic.co/guide/en/elasticsearch/guide/current/mapping-analysis.html

chenbe2204 · June 6, 2016, 7:47am

Is there any way to define not_analyzed field in the conf file of the Logstash ?

warkolm · June 6, 2016, 7:48am

No, it is an ES concept, not an LS one.

chenbe2204 · June 6, 2016, 7:54am

So if i want to split a Chart in the Kibana by this field , how can I do it ?

bryan_stuhlsatz · June 6, 2016, 10:45am

This is Logstash forum. You should start a thread in Kibana.

magnusbaeck · June 8, 2016, 5:38am

So if i want to split a Chart in the Kibana by this field , how can I do it ?

If you don't want the field to be analyzed and split into tokens, modify the indexes' mappings by changing the index template.

chenbe2204 · July 4, 2016, 6:52am

Thanks

hongyuan1306 · July 4, 2016, 7:47am

Can we not configure the template directly from logstash config file as indicated by the documentation like:

elasticsearch {
  hosts => localhost
  index => index_tmp1
  template => "/path/to/mytemplate"
  template_overwrite => true
}

Since the log transformation is control from the logstash config, it makes sense to place the mapping definition also on the logstash side.

magnusbaeck · July 4, 2016, 7:50am

Can we not configure the template directly from logstash config file as indicated by the documentation

Sure you can.

antonin42 · August 12, 2016, 1:31pm

Hi @magnusbaeck , I did not find this in Logstash Online Doc. How can you configure the template directly from logstash config file ?
Thanks in advance, good day.
Antonin

magnusbaeck · August 12, 2016, 2:01pm

Look at the template-related options listed in the documentation of the elasticsearch output plugin.