Brian,
On 30 juin 2014, at 22:59, Brian wrote:
> Well, I did answer your question. But probably not from the direction you
> expected.
hmm no, you didn't. My question was: "it looks like I cant retrieve/display
[_all fields] content. Any idea?" and you replied with your logstash template
where _all is disabled.
I'm interested in disabling _all, but that was not my question at this point.
Your answer to my second message, below, is informative and interesting but
fails to answer my second question too. I simply asked whether I need to feed
the complete modified mapping of my template or if I can just push the modified
part (ie. the _all:{enabled: false} part).
> When I create and manage specific indices, I lock down Elasticsearch. When I
> update the mappings, I understand that ES will not allow the mapping for an
> existing field to be modified in an incompatible way. So I only update to add
> new fields, and never to change or remove an existing field.
>
> For time-based indices as used by the ELK stack, it makes the most sense to
> me to create an on-disk mapping template. So I always disable the all field
> and pre-map a subset of string fields as shown in my previous post. I do this
> because when the next day arrives and logstash causes a new index to be
> created, that new index will also set my default mapping from the template.
>
> I don't disable the _all field in an existing index that currently has it
> enabled. I don't know if it would succeed or fail, but I would not expect it
> to be successful.
>
> Instead, based on my previous experience with ES, I disable the _all field
> and have disabled it from the very first test deployment of the ELK stack in
> our group. And then I configured my ES startup script to set message as the
> default field for a Lucene query. This was already set up and working when I
> let others have access to it for the very first time. So I don't know the
> answer to your specific question.
>
> But I do know that a lot of experimentation went into my ELK configurations
> before I let anyone else look at it for the very first time. So don't be
> afraid to change your mappings and leave the old ones behind, and re-add data
> as needed to get everything just the way you want it.
>
> Brian
>
> On Monday, June 30, 2014 1:22:34 AM UTC-4, Patrick Proniewski wrote:
> Brian,
>
> Thank you for the reply, even if it does not answer my question.
>
> By the way, how am I supposed to change a mapping setting? Do I have to push
> back the entire mapping with one line modified, or can I just push something
> like:
>
> {
> "logstash": {
> "mappings": {
> "_default_": {
> "_all": {
> "enabled": false
> }
> }
> }
> }
> }
>
>
>
> On 20 juin 2014, at 23:04, Brian wrote:
>
> > Patrick,
> >
> > Here's my template, along with where the _all field is disabled. You may
> > wish to add this setting to your own template, and then also add the index
> > setting to ignore malformed data (if someone's log entry occasionally slips
> > in "null" or "no-data" instead of the usual numeric value):
> >
> > {
> > "automap" : {
> > "template" : "logstash-*",
> > "settings" : {
> > "index.mapping.ignore_malformed" : true
> > },
> > "mappings" : {
> > "_default_" : {
> > "numeric_detection" : true,
> > "_all" : { "enabled" : false },
> > "properties" : {
> > "message" : { "type" : "string" },
> > "host" : { "type" : "string" },
> > "UUID" : { "type" : "string", "index" : "not_analyzed" },
> > "logdate" : { "type" : "string", "index" : "no" }
> > }
> > }
> > }
> > }
> > }
> >
> > Brian
>
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/B44B497A-5DC3-4BC5-9164-7F53B5D1D6B6%40patpro.net.
For more options, visit https://groups.google.com/d/optout.
