I used to use a static mapping for a fixed name index like this, and it is really working very well.
logstash 's conf file, I set the following, to prevent elasticsearch to use it's own template, I wrote manage_template => false
output {
elasticsearch {
hosts => "dev-elkstack:9200"
index => "elkstats_record_clicks"
template_name => "clicks"
manage_template => false
}
}
In elasticsearch template settings, I set:
curl -XPUT 'http://dev-elkstack:9200/elkstats_record_clicks' -d '
{
"settings": {
"number_of_shards" : 8,
"number_of_replicas" : 0
},
"mappings" : {
...
}
}
I used the settings up there, and when kibana load the index, it can recognize all the field types I set, like date and geopoint
But now, I need to have logstash to generate one index every day, so I need to set the template to match index names.
In my experiment, logstash 's conf file, I set:
output {
elasticsearch {
hosts => "dev-elkstack:9200"
index => "elkstats_record_clicks_%{+YYYY.MM.dd}"
template_name => "clicks"
}
}
In elasticsearch template settings, I set a template mapping named clicks:
curl -XPUT dev-elkstack:9200/_template/clicks -d '
{
"template": "elkstats_record_clicks*",
"settings": {
"number_of_shards" : 8,
"number_of_replicas" : 0
},
"mappings" : {
...
}
}
However, when I use kibana to load the index "elkstats_record_clicks_*", it shows this index is not bind to the mapping "clicks", but it is using the default tempplate of elasticsearch, and it has many fields like date type not recognized by elasticsearch.
Can you tell me which part of the setting is not correct?