Nailed it done to documents like this:
{"_index":"popserv-2016.05.25","_type":"popserv","_id":"AVTnEhpwWvfOjJPMxwwj","_score":1.2420747,
"_source":
{"message":"<redacted>","@timestamp":"2016-05-25T08:39:57.292Z","tags":[],
"type":"popserv","host":"<redacted>","lglvl":"Note","event":"PopConnMade","user":<redacted>,
"mbox":9xxxxxxxxxxxxxxxxxxx,
"cmd":"<redacted>","fromhost":"<redacted ip>",
"geoip":{"country_name":"<redacted>","continent_code":"EU","city_name":"<redacted>","location":[xx.520100000000014,yy.39019999999999],"ip":"<redact ip>"},
"geoasn":{"number":"<redacted>","asn":"<redacted>"}
}
}
And have this template for the index:
{
"template":"popserv-*",
"settings":{"index":{"number_of_shards":1,"numver_replicas":1,"refresh_interval":"5s"}},
"mappings":{
"_default_":{
"dynamic_templates":[{
"template1":{
"mapping":{"ignore_above":64,"index":"not_analyzed","omit_norms":"true","type":"{dynamic_type}","doc_values":true},
"match":"*"}
}],
"_all":{"norms":{"enabled":false},"enabled":true},
"properties":{
"@timestamp":{"type":"date"},
"host":{"index":"not_analyzed","omit_norms":"true","type":"string"},
"user":{"index":"not_analyzed","omit_norms":"true","type":"string"},
"mbox":{"index":"not_analyzed","omit_norms":"true","type":"string"},
"event":{"index":"not_analyzed","omit_norms":"true","type":"string"},
"type":{"index":"not_analyzed","omit_norms":"true","type":"string"},
"geoip":{"properties":{"location":{"type":"geo_point"},"ip":{"type":"ip","omit_norms":true,"index":"not_analyzed"}}},
"fromhost":{"index":"not_analyzed","omit_norms":"true","type":"ip"}
}
}
},
"aliases":{}
}
My concern are that the mbox field isn't made a string as template says since it it's value isn't quoted '"' like other string fields and that 20 digit numbers cause this BIG_INTEGER issue.
Am I right it's not a string when not returned '"' quoted and if so, how can I force this field to be made a string if not by my template?
Don't suppose query parameter 'lenient' cant help if possible to use from kibana either?