Logstash config:
if [application] == "api_xalok_varnish" {
elasticsearch {
template => "/etc/logstash/templates/api_xalok_varnish.json"
template_name => "api_xalok_varnish"
template_overwrite => true
index => "%{+YYYY-MM-dd}-api_xalok_varnish"
hosts => ["192.168.253.128:9200"]
}
}
Template here:
{
"template" : "*-api_xalok_varnish" : {
"mappings" : {
"logs" : {
"properties" : {
"@timestamp" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
},
"application" : {
"type" : "string"
},
"hostname" : {
"type" : "string"
},
"site" : {
"type" : "string"
},
"tag" : {
"type" : "string",
"string" : "not_analyzed"
},
"url" : {
"type" : "string",
"string" : "not_analyzed"
},
"when" : {
"properties" : {
"_i" : {
"type" : "long"
}
}
}
}
}
}
}
}
This is what my mapping looks on my ES:
{
"2016-10-14-api_xalok_varnish" : {
"mappings" : {
"logs" : {
"properties" : {
"@timestamp" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
},
"application" : {
"type" : "string"
},
"hostname" : {
"type" : "string"
},
"site" : {
"type" : "string"
},
"tag" : {
"type" : "string"
},
"url" : {
"type" : "string"
},
"when" : {
"properties" : {
"_i" : {
"type" : "long"
}
}
}
}
}
}
}
}
It isn't applying the "not_analyzed", the weird part is that I have already 4 other templates and they work perfectly but this one doesn't.