Using "dynamic" : "strict" to prevent unintended fields from being created?

LeeSyd · November 30, 2015, 3:24pm

I've taken on an environment and am getting up to speed on the ELK stack. In some of my old indices are a lot of randomly named fields where a URI or some HTTP content has been passed in and not correctly parsed into fields.

I've created a new EL2.1 cluster and would like to prevent this in future. I've tried setting "dynamic" : "strict" and explicity defined the fields and mappings I want to see within a template but it appears that when passing info over from Logstash, when it attempts to create additional field and hits this setting, the document is not loaded into EL.

Can anybody advise if there is a way that I can get documents to load all permitted fields and ignore those not defined?

Thanks

jpountz · November 30, 2015, 5:37pm

Maybe dynamic: false is what you are looking for? It will ignore all fields that are not defined in the mappings (but they will still remain accessible via the _source).

LeeSyd · December 3, 2015, 10:10am

Perfect - thank you. I had searched the current version documentation and not found detail on the options available but have tried this and it works as required. Have subsequently found more detail in "Elasticsearch: The Definitive Guide".

Thanks