Hey,
thx for your response.
As i already mentioned i tried setting the index.query.default_field to
"message".
{
"template" : "logstash-*",
"settings" : {
"index.refresh_interval" : "5s",
"index.number_of_shards" : 3,
"index.number_of_replicas" : 0,
"index.refresh_interval" : "30s",
"index.store.compress.stored" : true,
"index.store.compress.tv" : true,
"index.query.default_field" : "message",
"analysis" : {
"analyzer" : {
"default" : {
"type" : "standard",
"stopwords" : "_none_"
}
}
}
},
"mappings" : {
"_default_" : {
"_all" : {"enabled" : false},
"_source": { "compress": true },
"dynamic_templates" : [ {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string",
"fields" : {
"{name}" : {"type": "string", "index" : "not_analyzed"}
}
}
}
} ],
"properties" : {
"@version": { "type": "string", "index": "not_analyzed" },
"@timestamp" : { "type" : "date", "index" : "not_analyzed" },
"tags": { "type": "string", "index" : "not_analyzed" }
}
}
}
}
That was the template that i used. This is working fine for all Events
except the Netflow ones, because they dont have a "message"-field for
Kibana to search in. Thats what my mess is.
Is it possible to adjust the template/mapping per type of event?
Cheers
Am Montag, 30. Juni 2014 09:08:22 UTC+2 schrieb Alexander Reelsen:
>
> Hey,
>
> you can set the index.query.default_field in the mapping to circumvent
> this, see
> http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/mapping-all-field.html#mapping-all-field
>
>
> --Alex
>
>
> On Tue, Jun 24, 2014 at 12:39 PM, horst knete <[email protected]
> <javascript:>> wrote:
>
>> Hey guys,
>>
>> I really want to disable the _all-Field in the ES-Indices to save some
>> disk-space on our system.
>>
>> Normally its not the problem - adjust template in ES, and set
>> "message"-Field to the new default query field, that is normally available
>> in any event.
>>
>> The problem is that we also have many netflow-events with the
>> netflow-codec that have the following form:
>>
>>
>> <https://lh4.googleusercontent.com/-CDQQs5e5a7o/U6lUvjikncI/AAAAAAAAACo/LHpMXlYLMWw/s1600/netflow.PNG>
>>
>> As you might notice there isnt any "message"-field so the Kibana lucene
>> query would run into an error.
>>
>> My question is - how do i manage it to make this work (disabling
>> _all-Field but search in the netflow-events)?
>>
>> Thanks for response.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "elasticsearch" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/elasticsearch/9ab09bba-392f-4f77-8937-aa518c22292f%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/elasticsearch/9ab09bba-392f-4f77-8937-aa518c22292f%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/9f406910-1608-4866-8c9c-42a23f6d8f11%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
