Should I index log data with multifield mappings on string types?


I'm using Elasticsearch to store log data from various types of systems. When I first began configuring the ELK environment I noticed that in similar situations, Users online indexed string types with a multifield mapping; using {fieldnames}.raw to satisfy the need of having not_analyzed strings in indices of log data. At the time, I figured doing it this way might be a good idea. I would have full text search (analyzed strings) if needed, but still be able to search/sort unanalyzed strings as well - so I implemented this logic into the cluster.

As time has gone on, I've found that having analyzed strings in log data hasn't really benefited me at all. I don't search analyzed fields in my day-to-day use of Elasticsearch. My question is this: is using multifield mappings, like I am now, considered best-practice in this situation? Or would I be OK setting all string types to not_analyzed via index templates? Before I make the change I just wanted to inquire if I'd be in conflict with a best practice or missing something obvious.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.