We have an application that sends logs daily to our ELK server. We are an index template which creates an new indice for each day. We are using ELK (with filebeat) 7.10
I am looking to update the mapping to include missing fields but unsure how this applies to an index template setup. I have read that ordinarily you need to create a second index with your required mapping and reindex your existing data in the second index to solve the issue.
I´m unsure how to apply this to our situation where there is a template and new indexes are created daily, do I just need to add the required mapping fields to template and somehow reindex the existing data against the template.
You can update the index template as per the create or update API. The updated mapping would apply to new indices created with the template.
To apply the changes to your existing indices, as you correctly sumise, you would need to reindex the data and apply the template. There is an example here in the documentation using Painless if that helps.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.