I'm trying to use a separate index for my apache logs:
elasticsearch { host => localhost index => "http-%{+YYYY.MM.dd}" }
It doesn't look like the .raw fields are being created in ES, but as far as I can see it is using the same template as my logstash-* index. How can I get the .raw fields back?
So it seems although the elasticsearch output has a template_name parameter, it doesn't seem to work as expected. I changed my index name to logstash-http-%{+YYYY.MM.dd} and now the correct elasticsearch template is being used and the .raw fields are there.
Yeah, the standard template only applies to logstash-* indexes. The documentation isn't very clear on this. I think it's a good idea to self-manage the ES template(s) anyway.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.