CODEWITHSUNDEEP
elasticsearchlogstashkibana
Kennedy Kan
Kennedy Kan

Reputation: 383

Logstash issues in creating index remove .raw field in kibana

I have written a logstash conf filefor reading logs. If I use the default index, that is logstash-*, I could see .raw field in kibana. However, if I create a new index in conf file in logstash like

output{
    elasticsearch {
      hosts => "localhost"
      index => "batchjob-*"} 
}

Then the new index cant configure .raw field. Is there any resolve ways to solve it? Great Thanks.

Upvotes: 1

Views: 395

Answers (1)

Val
Val

Reputation: 217334

The raw fields are created by a specific index template that the Logstash elasticsearch output creates in Elasticsearch.

What you can do is simply copy that template to a file named batchjob.json and change the template name to batchjob-* (see below)

{
  "template" : "batchjob-*",
  "settings" : {
    "index.refresh_interval" : "5s"
  },
  "mappings" : {
    "_default_" : {
      "_all" : {"enabled" : true, "omit_norms" : true},
      "dynamic_templates" : [ {
        "message_field" : {
          "match" : "message",
          "match_mapping_type" : "string",
          "mapping" : {
            "type" : "string", "index" : "analyzed", "omit_norms" : true,
            "fielddata" : { "format" : "disabled" }
          }
        }
      }, {
        "string_fields" : {
          "match" : "*",
          "match_mapping_type" : "string",
          "mapping" : {
            "type" : "string", "index" : "analyzed", "omit_norms" : true,
            "fielddata" : { "format" : "disabled" },
            "fields" : {
              "raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256}
            }
          }
        }
      } ],
      "properties" : {
        "@timestamp": { "type": "date" },
        "@version": { "type": "string", "index": "not_analyzed" },
        "geoip"  : {
          "dynamic": true,
          "properties" : {
            "ip": { "type": "ip" },
            "location" : { "type" : "geo_point" },
            "latitude" : { "type" : "float" },
            "longitude" : { "type" : "float" }
          }
        }
      }
    }
  }
}

Then you can modify your elasticsearch output like this:

output {
    elasticsearch {
      hosts => "localhost"
      index => "batchjob-*"
      template_name => "batchjob"
      template => "/path/to/batchjob.json"
    } 
}

Upvotes: 3

Related Questions