Patrick,
Well, I did answer your question. But probably not from the direction you
expected.
When I create and manage specific indices, I lock down Elasticsearch. When
I update the mappings, I understand that ES will not allow the mapping for
an existing field to be modified in an incompatible way. So I only update
to add new fields, and never to change or remove an existing field.
For time-based indices as used by the ELK stack, it makes the most sense to
me to create an on-disk mapping template. So I always disable the all field
and pre-map a subset of string fields as shown in my previous post. I do
this because when the next day arrives and logstash causes a new index to
be created, that new index will also set my default mapping from the
template.
I don't disable the _all field in an existing index that currently has it
enabled. I don't know if it would succeed or fail, but I would not expect
it to be successful.
Instead, based on my previous experience with ES, I disable the _all field
and have disabled it from the very first test deployment of the ELK stack
in our group. And then I configured my ES startup script to set message as
the default field for a Lucene query. This was already set up and working
when I let others have access to it for the very first time. So I don't
know the answer to your specific question.
But I do know that a lot of experimentation went into my ELK configurations
before I let anyone else look at it for the very first time. So don't be
afraid to change your mappings and leave the old ones behind, and re-add
data as needed to get everything just the way you want it.
Brian
On Monday, June 30, 2014 1:22:34 AM UTC-4, Patrick Proniewski wrote:
>
> Brian,
>
> Thank you for the reply, even if it does not answer my question.
>
> By the way, how am I supposed to change a mapping setting? Do I have to
> push back the entire mapping with one line modified, or can I just push
> something like:
>
> {
> "logstash": {
> "mappings": {
> "_default_": {
> "_all": {
> "enabled": false
> }
> }
> }
> }
> }
>
>
>
> On 20 juin 2014, at 23:04, Brian wrote:
>
> > Patrick,
> >
> > Here's my template, along with where the _all field is disabled. You may
> wish to add this setting to your own template, and then also add the index
> setting to ignore malformed data (if someone's log entry occasionally slips
> in "null" or "no-data" instead of the usual numeric value):
> >
> > {
> > "automap" : {
> > "template" : "logstash-*",
> > "settings" : {
> > "index.mapping.ignore_malformed" : true
> > },
> > "mappings" : {
> > "_default_" : {
> > "numeric_detection" : true,
> > "_all" : { "enabled" : false },
> > "properties" : {
> > "message" : { "type" : "string" },
> > "host" : { "type" : "string" },
> > "UUID" : { "type" : "string", "index" : "not_analyzed" },
> > "logdate" : { "type" : "string", "index" : "no" }
> > }
> > }
> > }
> > }
> > }
> >
> > Brian
>
>
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/2ff289e5-baf7-4d25-8412-8fcf967440fc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
