add custom mapping for elasticsearch in logstash

1
votes

I am using logstash to input my logs in elasticsearch. Everyday, it create a new index

here is my output part of my logstash config file

output {
    stdout { codec => rubydebug }
    elasticsearch {
        hosts => ["127.0.0.1"]
        index => "logstash-%{+YYYY.MM.dd}"
    }
}

I want some fields to be not analysed. But everyday when a new index is created, a new mapping is created and all the fields are analysed. How can I force elasticsearch to use a particular mapping every time a new index is created?

2
elasticsearchlogstashlogstash-configuration
What do you get when you run the following command curl -XGET localhost:9200/_template?Val
Possible duplicate of Change default mapping of string to "not analyzed" in Elasticsearchbaudsp

2 Answers

2
votes

You can do this by assigning templates and managing them, for example my configuration: 

 elasticsearch {
            hosts => ["localhost:9200"]
            index => "XXX-%{+YYYY.ww}"
            template => "/opt/logstash/templates/XXX.json"
            template_name => "XXX"
            manage_template => true
 }

I believe my configuration may be slightly out of date, as we are sadly on an older version of logstash ... So it would be helpful to read up on this on the docs: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html

This is definitely possible inside logstash though.

Artur

0
votes

You can use a ES index template, which then will be used when creating an index: https://www.elastic.co/guide/en/elasticsearch/reference/2.4/indices-templates.html.

In your case the template would look like this:

{
  "template": "logstash-*",
  "mappings": {
    "_default_": {
      ...
    }
  }
}