Template Elasticsearch about data

Elastic Stack Elasticsearch
1

Hello guys,

I want help to define my template elasticsearch 5.5.1

An example of line :

90|336882106|2080159|12F6|1162|025C|03/08/201708:02:46|A1|LEGACY|CATCH|10001|258|request|01|000541|01|3585086414|00|apache2|CATCH_ALL|4652414631

21 fields total.

Few questions before to look template :

  1. What is the difference between not analyze a fied and enable false field ?
  2. Numeric detection is really interesting ? Or it's better to define format (long, int,short...) myself

Also i not need a full text search, i use just key words for aggregate and visualize (sum, average...) what i can make that ?

Right now, my template.

I want :

Not full text search
Disable or not analyze field (i don't know the difference)

So what do you think about my template currently :

{
  "order": 0,
  "template": "cra-dcb*",
  "settings": {
    "index": {
      "number_of_shards": "2",
      "number_of_replicas": "0",
      "refresh_interval": "59s"
      }
    },
  "mappings": {
    "_default_": {
      "dynamic_templates": [
        {
          "strings_as_keywords": {
            "match_mapping_type": "string",
            "mapping": {
              "type": "text",
              "norms": false,
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            }
          }
        }
      ],
      "_all": {
        "enabled": false
      },
      "properties": {
      "cra_recordType": {
        "enabled": false
      },
      "cra_teleServ": {
        "enabled": false
      },
      "cra_ratingEvtType": {
        "enabled": false
      },
      "cra_zoneID": {
        "enabled": false
      }
      }
    }
  }
}

Thank you a lot for your help

2

What is the difference between not analyze a fied and enable false field ?

Disabling a field ("enabled": false) means that the field will not be indexed at
all, so it won't be searchable and you cannot aggregate on it.

Numeric detection is really interesting ? Or it’s better to define format
(long, int,short…) myself

If you know the potential range, it's better to define it yourself. For
instance, if you know it's going to be a small number, you could use a short
or integer rather than letting the detection handle it, in which case it will
always pick either a long or double (depending on whether it has mantissa or
not)

Also i not need a full text search, i use just key words for aggregate and
visualize (sum, average…) what i can make that ?

In that case, just make the field a keyword field (for string data).

3

Ok thank you @dakrone

I understand enabled false field mean it's save in database but it take small disk space because it's not searchable or aggre.
But if i configure a field => index : not_analyze, What is mean ?

Ok, but what i can do it ? My currently template is well configured for that ? (string_as_keyword)

4

But if i configure a field => index : not_analyze, What is mean ?

This was an older method of marking a field as a keyword, the new way is to
simply use the keyword type in the mapping.

Ok, but what i can do it ? My currently template is well configured for that ?
(string_as_keyword)

In your current template you are mapping the field as both text and keyword,
so instead of

"mapping": {
  "type": "text",
  "norms": false,
  "fields": {
    "keyword": {
      "type": "keyword",
      "ignore_above": 256
    }
  }
}

you could do

"mapping": {
   "type": "keyword"
}
5

Now all work good.

Thank you @dakrone

I would like to know, if i can define, only for one field, to map him a full text-search without keyword ?

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.