I have a setup where I am shipping windows eventlogs using nxlog in JSON
format towards logstash which gets put into an elasticsearch cluster. The
"Message" field is currently being analysed which means that if I want to
visualise on Kibana all events sorted by Message the Message field gets
split by whitespace. I have read several posts regarding this topic and the
below docs
like http://www.elastic.co/guide/en/elasticsearch/reference/1.x/mapping.html
and http://www.elastic.co/guide/en/elasticsearch/reference/1.3/indices-templates.html
but I still have issue.
I have modified my logstash template to this, hoping the new created index
for today would not have this field analyzed anymore but its still not so.
curl -XPUT localhost:9200/_template/logstash -d '
{
"order" : 0,
"template" : "[logstash-]YYYY.MM.DD",
"settings" : {
"index.refresh_interval" : "5s"
},
"mappings" : {
"default" : {
"dynamic_templates" : [ {
"string_fields" : {
"mapping" : {
"index" : "analyzed",
"omit_norms" : true,
"type" : "string",
"fields" : {
"raw" : {
"index" : "not_analyzed",
"ignore_above" : 256,
"type" : "string"
},
"Message" : {
"index" : "not_analyzed",
"type" : "string"
}
}
},
"match_mapping_type" : "string",
"match" : "*"
}
} ],
"properties" : {
"geoip" : {
"dynamic" : true,
"path" : "full",
"properties" : {
"location" : {
"type" : "geo_point"
}
},
"type" : "object"
},
"@version" : {
"index" : "not_analyzed",
"type" : "string"
}
},
"_all" : {
"enabled" : true
}
}
},
"aliases" : { }
}
'
My mapping for today seems to have this field, but I must admit I now
suspect I am adding this field definition the wrong way. Anyone have any
pointers or a better way how to get the visualisation sorted out so the
Message is not split by the whitespaces.
curl -XGET localhost:9200/_mapping?pretty | less
"logstash-2015.04.30" : {
"mappings" : {
"default" : {
"dynamic_templates" : [ {
"string_fields" : {
"mapping" : {
"index" : "analyzed",
"omit_norms" : true,
"type" : "string",
"fields" : {
"raw" : {
"index" : "not_analyzed",
"ignore_above" : 256,
"type" : "string"
},
"Message" : {
"index" : "not_analyzed",
"type" : "string"
}
}
},
"match" : "*",
"match_mapping_type" : "string"
}
} ],
"_all" : {
"enabled" : true
},
"properties" : {
"@version" : {
"type" : "string",
"index" : "not_analyzed"
},
"geoip" : {
"dynamic" : "true",
"properties" : {
"location" : {
"type" : "geo_point"
}
}
}
}
},
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/ac93ef48-3556-4e23-b733-05e9ae2c3b95%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.