Updating field mapping in Index Template

Hello all,

We have an application that sends logs daily to our ELK server. We are an index template which creates an new indice for each day. We are using ELK (with filebeat) 7.10

I am looking to update the mapping to include missing fields but unsure how this applies to an index template setup. I have read that ordinarily you need to create a second index with your required mapping and reindex your existing data in the second index to solve the issue.

I´m unsure how to apply this to our situation where there is a template and new indexes are created daily, do I just need to add the required mapping fields to template and somehow reindex the existing data against the template.

Thanks in advance.

Hi @randomnamegenerator,

You can update the index template as per the create or update API. The updated mapping would apply to new indices created with the template.

To apply the changes to your existing indices, as you correctly sumise, you would need to reindex the data and apply the template. There is an example here in the documentation using Painless if that helps.

Let us know how you get on!

Thank you for the article,

In my situation I have 3 indexes and over the top of of this is an logstash template.

logstash*
logstash-application-services*
logstash-application-server*

I wish to update the mapping for the logstash-application-services, the data is only stored on a single node.

Is it possible to somehow "backup" the data set to a *-2 or 3 etc just encase things don´t go as planned ?

Hi @randomnamegenerator,

I would recommend creating a snapshot of your indexes that you can restore if something goes wrong. Check out the documentation here.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.