Following Alex's suggestion, I decided to go for broke and tried implementing a Index Template. "logstash-2019.08.08-000001" is the name of my Index:
curl -X PUT "localhost:9200/_template/logstash-2019.08.08-000001" -H 'Content-Type: application/json' -d'
{
"template": "logstash-2019.08.08-000001",
"order": 1,
"settings": {
"index": {
"refresh_interval": "5s"
}
},
"mappings": {
"default": {
"_all": {
"norms": false,
"enabled": true
},
"properties": {
"Packet.L3.Src": { "type": "ip"},
"Packet.L3.Dst": { "type": "ip"}
}
}
}
}
'
FYI, this was run directly on the command line within my ElasticSearch Docker container (v7.3.0) The error message I got back was a single run-on error message, I've added a bunch of newlines to try and make sense of it:
{"error":{
"root_cause":[
{
"type":
"mapper_parsing_exception",
"reason":"Root mapping definition has unsupported parameters:
[default :
{_all={norms=false, enabled=true},
properties={Packet.L3.Src={type=ip},
Packet.L3.Dst={type=ip}}}]"}],
"type":"mapper_parsing_exception","reason":"Failed to parse mapping [_doc]:
Root mapping definition has unsupported parameters:
[default :
{_all={norms=false, enabled=true},
properties={Packet.L3.Src={type=ip},
Packet.L3.Dst={type=ip}}}]",
"caused_by":{
"type":"mapper_parsing_exception",
"reason":"Root mapping definition has unsupported parameters:
[default :
{_all={norms=false, enabled=true},
properties={Packet.L3.Src={type=ip}, Packet.L3.Dst={type=ip}}}]"}},
"status":400
}
Maybe I'm misreading this, but it looks like Elasticsearch is telling me, "I don't see a Packet.L3.Src" or "Packer.L3.Dst" field within logstash-2019.08.08-000001 Am I missing the biggest picture?
Thanks