Hi everyone,
I'm currently changing my template mapping from Dynamic to Static.
I've done the following actions on Kibana regardless old data:
- Delete Index in Kibana
- Delete template
- delete related indice
Then:
- Upload the new static template
- Sending new logs and waiting them to appears
- Create a new Index again with Kibana
Every previous step has worked well, except that I'm surprised about the numbers of fields displayed on Kibana after index creation.
I actually obtained more recognized fields (most of them are indexed) compared to fields that are added with dynamic template
I've expected to only catch a small amount of fields (maximum 10)
Here the following mapping
<"mappings": {
"doc": {
"properties": {
"@timestamp" : { "type" : "date" },
"@version" : { "type" : "keyword", "index" : false },
"uri" : { "type" : "keyword" },
"duration" : { "type" : "integer" },
"status" : { "type" : "keyword" }
}
}
}>
-> Do I have to specificly exclude other fields?
-> Does it matter with the way I manage my pattern?
I'm currently use ELK 6.2.
Thanks in advance!