0

I've set up an Elastic Stack 5.3 to aggregate logs from a bunch of servers, with Filebeat in each of the servers scraping the logs and sending them to a centralised Logstash, Elasticsearch and Kibana.

I've set up my Logstash configuration to extract some custom string fields but I wish to change the index template to change their type from "text" to "keyword". I've found the configuration directives to specify my own template, but where can I find Logstash's default template so I can use it as a starting point? I've searched under /etc/logstash and /usr/share/logstash (I've installed a vanilla Logstash 5.3 RPM on RHEL 7) but couldn't find anything.

Any good example of how to create a non-standard index template on logstash 5.x would be really handy; most of the examples I have found predate Beats and the new string types in 5.x. The documentation leaves something to be desired.

Sonafets
  • 497
  • 1
  • 4
  • 13

1 Answers1

2

The default elasticsearch index template can be found in the logstash-output-elasticsearch plugin repository at https://github.com/logstash-plugins/logstash-output-elasticsearch/tree/master/lib/logstash/outputs/elasticsearch

You'll find different templates in there, for ES 2.x, 5.x and 6.x, the one you're looking for is probably the 5.x one.

Val
  • 207,596
  • 13
  • 358
  • 360
  • Thanks! I also noted that logstash prints the template in its startup log (/var/log/logstash/logstash.plain): [2017-04-04T13:36:38,202][INFO ][logstash.outputs.elasticsearch] Attempting to install template {template content omitted} – Sonafets Apr 05 '17 at 09:35