Within my configuration directory's templates/automap.json file is the
following template. Elasticsearch uses this template whenever it generates
a new logstash index each day:
{
"automap" : {
"template" : "logstash-*",
"settings" : {
"index.mapping.ignore_malformed" : true
},
"mappings" : {
"_default_" : {
"numeric_detection" : true,
"_all" : { "enabled" : false },
"properties" : {
"message" : { "type" : "string" },
"host" : { "type" : "string" },
"UUID" : { "type" : "string", "index" : "not_analyzed" },
"logdate" : { "type" : "string", "index" : "no" }
}
}
}
}
}
Note:
1. How to ignore malformed data (for example, a numeric field that contains
"no-data" every once in a while).
2. How to automatically detect numeric fields. Logstash makes every JSON
value a string. Elasticsearch automatically detects dates, but must be
explicitly configured to automatically detect numeric fields.
3. Listing fields that must be considered to be strings even if they
contain numeric values, or must not be analyzed, or must not be indexed at
all.
4. Disabling of the _all field: As long as your logstash configuration
leaves the message field pretty much intact, disabling the _all field will
reduce disk space, increase performance, while still keeping all search
functionality. But then, don't forget to also update your Elasticsearch
configuration to specify message as the default field.
Hope this helps!
Brian
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/e6e95468-3e21-4dc7-82eb-129a58c85852%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
