Make a field as an "INDEXED" in elasticsearch

Question

I am using ELK stack with filebeat. I am using a default template for mapping. I am not getting all needed fields as "indexed"

Here is my mapping file,

 {
  "mappings": {
    "_default_": {
      "_all": {
        "enabled": true,
        "norms": {
          "enabled": false
        }
      },
      "dynamic_templates": [
        {
          "template1": {
            "mapping": {
              "doc_values": true,
              "ignore_above": 1024,
              "index": "not_analyzed",
              "type": "{dynamic_type}"
            },
            "match": "*"
          }
        }
      ],
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "offset": {
          "type": "long",
          "doc_values": "true"
        }
      }
    }
  },
  "settings": {
    "index.refresh_interval": "5s"
  },
  "template": "filebeat-*"
}

Here is my config file for output.

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"  
    document_type => "%{[@metadata][type]}"
  }
}

Let's say I want a field name channelas an indexed field. How to modify the template?

In Kibana, in the left side bar, If I filter `available fields` with `indexed` as a `yes`, I am not getting that field in the result. When I go to Visualize and try to create a bar chart, for x -axis I select `Aggregation` as `Terms`, then in the `Field` dropdown I don't get `channel` field to select. — Bhargav Patel, Mar 16 '16 at 14:15
How can I confirm, if logstash is using correct template or not for mapping. — Bhargav Patel, Mar 16 '16 at 14:52
This gives me expected result, `curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty&search_type=count' -d '{"aggregations": {"my_test": {"terms": {"field": "channel"}}}}'` why I will not have an option in KIBANA — Bhargav Patel, Mar 16 '16 at 16:14
Kibana caches the mapping. Try going to Settings->Indexes, selecting your index, then clicking the orange Reload button. — Alain Collins, Mar 16 '16 at 17:09
wow!..thanks you so much! I spent a whole day yesterday to find it! — Bhargav Patel, Mar 16 '16 at 17:31
@AlainCollins one more question, I can make all fields as indexed. But is that a good practise? if not then how to decide which fields should be indexed. — Bhargav Patel, Mar 16 '16 at 17:34

Make a field as an "INDEXED" in elasticsearch

0 Answers0