add custom mapping for elasticsearch in logstash

Question

I am using logstash to input my logs in elasticsearch. Everyday, it create a new index

here is my output part of my logstash config file

output {
    stdout { codec => rubydebug }
    elasticsearch {
        hosts => ["127.0.0.1"]
        index => "logstash-%{+YYYY.MM.dd}"
    }
}

I want some fields to be not analysed. But everyday when a new index is created, a new mapping is created and all the fields are analysed. How can I force elasticsearch to use a particular mapping every time a new index is created?

Answer 1

You can do this by assigning templates and managing them, for example my configuration:

 elasticsearch {
            hosts => ["localhost:9200"]
            index => "XXX-%{+YYYY.ww}"
            template => "/opt/logstash/templates/XXX.json"
            template_name => "XXX"
            manage_template => true
 }

I believe my configuration may be slightly out of date, as we are sadly on an older version of logstash ... So it would be helpful to read up on this on the docs: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html

This is definitely possible inside logstash though.

Artur

Answer 2

You can use a ES index template, which then will be used when creating an index: https://www.elastic.co/guide/en/elasticsearch/reference/2.4/indices-templates.html.

In your case the template would look like this:

{
  "template": "logstash-*",
  "mappings": {
    "_default_": {
      ...
    }
  }
}