Where can I find the default template?

camkidman · March 14, 2017, 11:27pm

Hi there,

I've got the following in my elasticsearch configuration file:

output {
  elasticsearch { hosts => ["https://...."]
    index => "production-%{+YYYY.MM.dd}"
  }
  stdout { codec => rubydebug }
}

I'm running into the field limit of 1000 and I'm not sure how to increase that dynamically from logstash's configuration. It seems like I need to update the default index template, but I can't find logstash's default template anywhere, and I'd like to use that with the one modification. Is there a configuration option I can specify in the output right in the logstash config? The docs have very little information about template management: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#_template_management_for_elasticsearch_5_x

Thanks in advance!

theuntergeek · March 15, 2017, 12:07am

The code is at https://github.com/logstash-plugins/logstash-output-elasticsearch/tree/master/lib/logstash/outputs/elasticsearch

On an installed Logstash, the default templates will be in the vendor subdirectory where Logstash is installed, in this path:

vendor/bundle/jruby/#.#/gems/logstash-output-elasticsearch-#.#.#-java/lib/logstash/outputs/elasticsearch

Logstash really shouldn't be used for template management. We really only include these default templates to provide a better out-of-the-box experience. If you have many indices and figure on needing many templates, Logstash is not the recommended tool for template management. Get used to managing templates using the API.

UPDATE: JRuby version numbers differ, so the path was updated to reflect that.

warkolm · March 15, 2017, 3:54am

I've raised https://github.com/elastic/logstash/issues/6815 to see how we can make this easier.

camkidman · March 15, 2017, 3:26pm

Thanks all, I'll dig into it. Question about the template management @theuntergeek -- Right now logstash is creating a date index each day on elasticsearch, are you meaning that should also be managed from elasticsearch?

Everything I found said I should update logstash to configure whatever settings I want when it creates its index, so I'm just wondering if I'm doing it wrong by trying to edit the template on the logstash side.

theuntergeek · March 15, 2017, 3:49pm

@camkidman if you only ever plan to have logstash-YYYY.MM.DD indices, then Logstash will be an adequate choice for managing a single template. It really starts to get ridiculous when you have multiple types, and therefore have to manage multiple output blocks, each with their own template, that you begin to realize that Logstash isn't a great tool for that purpose.

I do not recommend editing the template "on the logstash side," in the vendor directory. Copy it out somewhere, and set template => to point to that location in your output block.

camkidman · March 15, 2017, 3:51pm

Okay, that's good knowledge all around. Thanks a lot! I did copy the template already and put it in place and it works just fine. Thanks for your time!

system · April 12, 2017, 3:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.