Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Z
Z
zdravnik2016-06-20 13:16:44
elasticsearch
zdravnik, 2016-06-20 13:16:44

How to create raw fields for custom logstash indexes?

Good afternoon.
At first, I used the default logstash-* index, in which, in addition to the main fields, raw fields were also created.
Decided to put a part of the data in a separate index. I read the docks and seemed to set everything up as it should, as a result, in the elastic I have a breakdown into the fields I need, but there are no raw fields that are convenient to use for dashboards.
My output config

output {
if [Alert_Analyzer_Name] == "ossec" {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "logstash-%{+YYYY.MM.dd}"
template_overwrite => "true"
}
}
if [ type] == "weblog" {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "weblog-%{+YYYY.MM.dd}"
template_overwrite => "true"
}
}
}

curl -XGET localhost:9200/_template/logstash*
{"logstash":{"order":0,"template":"weblog-*","settings":{"index":{"refresh_interval":"5s" }},"mappings":{"_default_":{"dynamic_templates":[{"message_field":{"mapping":{"index":"analyzed","omit_norms":true,"type":"string" },"match_mapping_type":"string","match":"message"}},{"string_fields":{"mapping":{"index":"analyzed","omit_norms":true,"type":" string","fields":{"raw":{"ignore_above":256,"index":"not_analyzed","type":"string"}}},"match_mapping_type":"string","match":"*"}}],"_all":{"omit_norms":true,"enabled":true},"properties":{"geoip":{"dynamic" :true,"type":"object","properties":{"location":{"type":"geo_point"}}},"@version":{"index":"not_analyzed","type": "string"}}}},"aliases":{}}}}index":"not_analyzed","type":"string"}}}},"aliases":{}}}}index":"not_analyzed","type":"string"}}}},"aliases":{}}}}

curl -XGET localhost:9200/_template/weblog*
{"weblog-*":{"order":0,"template":"logstash-*","settings":{"index":{"refresh_interval":"5s"}},"mappings":{" _default_":{"dynamic_templates":[{"message_field":{"mapping":{"index":"analyzed","omit_norms":true,"type":"string"},"match_mapping_type":"string" ,"match":"message"}},{"string_fields":{"mapping":{"index":"analyzed","omit_norms":true,"type":"string","fields":{" raw":{"ignore_above":256,"index":"not_analyzed","type":"string"}}},"match_mapping_type":"string","match":"*"}}],"_all":{"omit_norms":true,"enabled":true},"properties":{"geoip":{"dynamic":true,"type":"object ","properties":{"location":{"type":"geo_point"}}},"@version":{"index":"not_analyzed","type":"string"}}}}," aliases":{}},"weblog":{"order":0,"template":"logstash-*","settings":{"index":{"refresh_interval":"5s"}},"mappings ":{"_default_":{"dynamic_templates":[{"message_field":{"mapping":{"index":"analyzed","omit_norms":true,"type":"string"},"match_mapping_type" :"string","match":"message"}},{"string_fields":{"mapping":{"index":"analyzed","omit_norms":true,"type":"string","fields": {"raw":{"ignore_above":256,"index":"not_analyzed","type":"string"}}},"match_mapping_type":"string","match":"*"}}], "_all":{"omit_norms":true,"enabled":true},"properties":{"geoip":{"dynamic":true,"type":"object","properties":{"location" :{"type":"geo_point"}}}},"@version":{"index":"not_analyzed","type":"string"}}}},"aliases":{}}}:"message"}},{"string_fields":{"mapping":{"index":"analyzed","omit_norms":true,"type":"string","fields":{"raw":{ "ignore_above":256,"index":"not_analyzed","type":"string"}}},"match_mapping_type":"string","match":"*"}}],"_all":{" omit_norms":true,"enabled":true},"properties":{"geoip":{"dynamic":true,"type":"object","properties":{"location":{"type": "geo_point"}}}},"@version":{"index":"not_analyzed","type":"string"}}}},"aliases":{}}}:"message"}},{"string_fields":{"mapping":{"index":"analyzed","omit_norms":true,"type":"string","fields":{"raw":{ "ignore_above":256,"index":"not_analyzed","type":"string"}}},"match_mapping_type":"string","match":"*"}}],"_all":{" omit_norms":true,"enabled":true},"properties":{"geoip":{"dynamic":true,"type":"object","properties":{"location":{"type": "geo_point"}}}},"@version":{"index":"not_analyzed","type":"string"}}}},"aliases":{}}}mapping":{"index":"analyzed","omit_norms":true,"type":"string","fields":{"raw":{"ignore_above":256,"index":"not_analyzed", "type":"string"}}},"match_mapping_type":"string","match":"*"}}],"_all":{"omit_norms":true,"enabled":true},"properties ":{"geoip":{"dynamic":true,"type":"object","properties":{"location":{"type":"geo_point"}}},"@version":{" index":"not_analyzed","type":"string"}}}},"aliases":{}}}}mapping":{"index":"analyzed","omit_norms":true,"type":"string","fields":{"raw":{"ignore_above":256,"index":"not_analyzed", "type":"string"}}},"match_mapping_type":"string","match":"*"}}],"_all":{"omit_norms":true,"enabled":true},"properties ":{"geoip":{"dynamic":true,"type":"object","properties":{"location":{"type":"geo_point"}}},"@version":{" index":"not_analyzed","type":"string"}}}},"aliases":{}}}}"fields":{"raw":{"ignore_above":256,"index":"not_analyzed","type":"string"}}},"match_mapping_type":"string","match":"*" }}],"_all":{"omit_norms":true,"enabled":true},"properties":{"geoip":{"dynamic":true,"type":"object","properties": {"location":{"type":"geo_point"}}},"@version":{"index":"not_analyzed","type":"string"}}}},"aliases":{}} }"fields":{"raw":{"ignore_above":256,"index":"not_analyzed","type":"string"}}},"match_mapping_type":"string","match":"*" }}],"_all":{"omit_norms":true,"enabled":true},"properties":{"geoip":{"dynamic":true,"type":"object","properties": {"location":{"type":"geo_point"}}},"@version":{"index":"not_analyzed","type":"string"}}}},"aliases":{}} }"_all":{"omit_norms":true,"enabled":true},"properties":{"geoip":{"dynamic":true,"type":"object","properties":{"location" :{"type":"geo_point"}}}},"@version":{"index":"not_analyzed","type":"string"}}}},"aliases":{}}}"_all":{"omit_norms":true,"enabled":true},"properties":{"geoip":{"dynamic":true,"type":"object","properties":{"location" :{"type":"geo_point"}}}},"@version":{"index":"not_analyzed","type":"string"}}}},"aliases":{}}}

At the same time, fields are present in the logstash-* raw indexes, but they are not in the weblog-* index.
I use logstash 2.3 and elastic 2.3.
I tried a bunch of recipes, but nothing helped, maybe I don’t understand something.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
A
Alexey Cheremisin, 2016-06-20
@zdravnik

We take settings and mapping from the old index.
GET logstash-my-old-index/_settings
GET logstash-my-old-index/_mapping
After that, in the mapping, look for the definition of "fields": {"raw": "not_analyzed"}
Should be something like this

....
"myfield" : {
   "type": "string",
   .....
   "fields": {
      "raw": { "type" :"string", "index": "not_analyzed"}
    }
}
....

Example: https://www.elastic.co/guide/en/elasticsearch/guid...
Description: https://www.elastic.co/guide/en/elasticsearch/ref...

Similar questions
V
Vladimir Yegudin2018-03-22 16:31:16
How to select objects from the database by geo coordinate with the condition that the coordinate is included in the object polygons? 2Reply
R
Rag'n' Code Man2021-07-21 03:28:04
How to index MongoDB for ElasticSearch? 1Reply
S
Sergey_mur2018-04-03 22:03:13
What could be the problem with Elasticsearch curator? 1Reply
D
Drum Kit2015-12-14 09:29:48
Is it possible to use sin or cos in Elasticsearch? 1Reply
S
Sword_Dancer2018-05-23 17:03:43
How to get data from Kibana with filter by timestamp and field match? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question