ElasticSearch - Change mapping to a field

Question

I'm using elasticsearch cluster version 1.7.2, and trying to change the mapping (I think) of one of the fields to ignore this character: '-'

the field is 'Request.Headers.Host', and the value can include '-' like: "app-cdn.cap.com"

#curl -X GET http://10.2.5.181:9200?pretty
{
  "status" : 200,
  "name" : "log-zone-a",
  "cluster_name" : "cap-logs",
  "version" : {
    "number" : "1.7.2",
    "build_hash" : "e43676b1385b7f593f7202acbd816e8ec",
    "build_timestamp" : "2015-09-14T09:49:53Z",
    "build_snapshot" : false,
    "lucene_version" : "4.10.4"
  },
  "tagline" : "You Know, for Search"
}

I saw it's related to the parameter not_analyzed, and from what I've found in the web, I tried this:

#curl -X PUT '{"mappings":{"logs":{"properties":{"Request.Headers.Host":{"type":"string","index":"not_analyzed"}}}}}' http://10.2.5.181:9200/logstash-2016.12.27/logs/_mapping?pretty
curl: (3) [globbing] nested braces not supported at pos 13
{
  "error" : "ActionRequestValidationException[Validation Failed: 1: mapping source is empty;]",
  "status" : 400
}
#curl -H 'Accept: application/json' -X PUT http://10.2.5.181:9200/logstash-2016.12.27?pretty -d @/home/moses/mapping.json
{
  "error" : "RemoteTransportException[[log-zone-b][inet[/10.2.105.181:9300]][indices:admin/create]]; nested: IndexAlreadyExistsException[[logstash-2016.12.27] already exists]; ",
  "status" : 400
}

#cat /home/moses/mapping.json | jq .
{
  "logstash-2016.12.27": {
    "mappings": {
      "logs": {
        "properties": {
          "Request.Headers.Host": {
            "type": "string",
            "index": "not_analyzed"
          }
        }
      }
    }
  }
}

When I'm changing the mapping and doing the same for non existing index it's success but the index seems wrong, separate the 'Request.Headers.Host' with the dots :(

#cat /home/moses/mapping.json
{"Request.Headers.Host":{"type":"string","index":"not_analyzed"}}

    #curl -H 'Accept: application/json' -X PUT http://10.2.5.181:9200/logstash-2016.12.30?pretty -d @/home/moses/mapping.json
    {
      "acknowledged" : true
    }

#curl -H 'Accept: application/json' -X GET http://10.2.5.181:9200/logstash-2016.12.30?pretty
{
"logstash-2016.12.30" : {
"aliases" : { },
"mappings" : { },
"settings" : {
  "index" : {
    "creation_date" : "1483011476137",
    "Request" : {
      "Headers" : {
        "Host" : {
          "type" : "string",
          "index" : "not_analyzed"
        }
      }
    },
    "uuid" : "M6Ly0wvwTGu1aulSViYcPg",
    "number_of_replicas" : "1",
    "number_of_shards" : "5",
    "version" : {
      "created" : "1070299"
    }
  }
},
"warmers" : { }
  }
}

How do I set this kind of mapping configuration to the current indexes and future indexes?

Thanks, Moshe

You can't update mapping for existing fields. You have two workaround here 1) Reindex whole data with updated mapping. But make sure you put mapping before indexing the data. 2) Add new `not_analyzed` field in existing index . [Reference -1](http://stackoverflow.com/questions/25471715/create-or-update-mapping-in-elasticsearch) , [Reference-2](http://stackoverflow.com/questions/16290636/how-to-update-a-field-type-in-elasticsearch) — Roopendra, Dec 29 '16 at 11:52
About the hyphen: see [ElasticSearch - Searching with hyphens](http://stackoverflow.com/questions/30917043/elasticsearch-searching-with-hyphens) — Roeland Van Heddegem, Dec 29 '16 at 12:01
@rvheddeg I have issues with hyphens when I'm creating dashboards, kibana parse the value of: "Request.Headers.Host": "app-cdn.cap.com" as two values: "app" and "cdn.cap.com" — Moshe Saada, Jan 02 '17 at 08:50

score 0 · Answer 1 · answered Jan 01 '17 at 01:17

0

To properly set the mapping for an inner field like "Request.Headers.Host", you have to define the multiple levels:

{
  "logs" : {
    "properties" : {
      "Request" : {
        "properties" : {
          "Headers" : {
            "properties": {
              "Host": {
               "type" : "string",
               "index": "not_analyzed"
              }
            }
          }
        }
      }
    }
  }
}

answered Jan 01 '17 at 01:17

Alain Collins

16,268
2
32
55

thanks @AlainCollins ! I'm pretty noob in ES, how do I permanent this mapping to the future indexes? – Moshe Saada Jan 02 '17 at 09:08
To set a mapping for a future index, use a [template](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html). – Alain Collins Jan 02 '17 at 18:20
thanks @AlainCollins How do I set default mapping for specific index (name for example: logstash-2016.02.01)? I need the default for that index will be "not_analyzed" without specifying each field. – Moshe Saada Jan 03 '17 at 11:03
For one index, you would set the mapping (before the index was created). But if you have daily indexes like that, you're going to want a template. To make all strings not_analyzed, you can use a dynamic_mapping. – Alain Collins Jan 03 '17 at 16:46

ElasticSearch - Change mapping to a field

1 Answers1