On 20 juin 2014, at 18:43, Brian wrote:
> Re: double the storage. I strongly recommend ELK users to disable the _all
> field. The entire text of the log events generated by logstash ends up in the
> message field (and not @message as many people incorrectly post). So the _all
> field is just redundant overhead with no value add. The result is a dramatic
> drop in database file sizes and dramatic increase in load performance. Of
> course, you need to configure ES to use the message field as the default for
> a Lucene Kibana query.
"message" field can be edited during logstash filtering, but admitting it's
enough, I would love to remove "_all" field and point Kibana to "message".
Oddly, I can't find the "_all" field, neither in Sense, nor in Kibana. I know
it's enabled:
GET _template/logstash
{
"logstash": {
"order": 0,
"template": "logstash-*",
"settings": {
"index.refresh_interval": "5s"
},
"mappings": {
"_default_": {
"dynamic_templates": [
{
"string_fields": {
"mapping": {
"index": "analyzed",
"omit_norms": true,
"type": "string",
"fields": {
"raw": {
"index": "not_analyzed",
"ignore_above": 256,
"type": "string"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"properties": {
"geoip": {
"dynamic": true,
"path": "full",
"properties": {
"location": {
"type": "geo_point"
}
},
"type": "object"
},
"@version": {
"index": "not_analyzed",
"type": "string"
}
},
"_all": {
"enabled": true <------
}
}
},
"aliases": {}
}
}
But it looks like I cant retrieve/display its content. Any idea?
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/DA2C93C0-709E-4DAA-96A3-F6AB4588FF6A%40patpro.net.
For more options, visit https://groups.google.com/d/optout.
