Using "dynamic" : "strict" to prevent unintended fields from being created?

LeeSyd · November 30, 2015, 3:24pm

I've taken on an environment and am getting up to speed on the ELK stack. In some of my old indices are a lot of randomly named fields where a URI or some HTTP content has been passed in and not correctly parsed into fields.

I've created a new EL2.1 cluster and would like to prevent this in future. I've tried setting "dynamic" : "strict" and explicity defined the fields and mappings I want to see within a template but it appears that when passing info over from Logstash, when it attempts to create additional field and hits this setting, the document is not loaded into EL.

Can anybody advise if there is a way that I can get documents to load all permitted fields and ignore those not defined?

Thanks

jpountz · November 30, 2015, 5:37pm

Maybe dynamic: false is what you are looking for? It will ignore all fields that are not defined in the mappings (but they will still remain accessible via the _source).

LeeSyd · December 3, 2015, 10:10am

Perfect - thank you. I had searched the current version documentation and not found detail on the options available but have tried this and it works as required. Have subsequently found more detail in "Elasticsearch: The Definitive Guide".

Thanks

Topic		Replies	Views
A question about dynamic templates Elasticsearch	8	1425	July 2, 2020
Making dataTypes of existing field as strict but allowing accepting new fields dynamically Elasticsearch	1	485	July 5, 2017
Unable to disable dynamic mapping Elasticsearch	8	1652	July 5, 2017
Allowing only fields described in dynamic templates Elasticsearch	3	564	July 5, 2017
Dynamic mapping strict to true Elasticsearch	11	9855	May 12, 2021

Using "dynamic" : "strict" to prevent unintended fields from being created?

Related topics