Mapping_elasticsearch for Elasticsearch 2.X custom fields

Terms

Term-individual Word (the smallest word after split) Mapping introduction

Elasticsearch Reference [2.4]»mapping
Mapping is the way to define the document and the storage and indexing of the containing fields. Why

Contact mapping is because you want to collect business information other than log. Business log and system log are different, many custom fields and push this information to a separate index. The ultimate goal is to use Kibana graphical display to statistics and analysis. When we want to statistics such as: User's access rankings (field name: user:test@gmail.com). When no Mapping is set, the ES takes a dynamic Mapping (active Mapping), and the default index of the field for string is: analyzed. In this way, the test@gmail.com will be split into Test and gmail.com (how to split depends on what analyzer is used). This is not easy to statistics, here we have to display to set the mapping.
Mapping Parameters»index

Through Kibana to select analyzed field to do terms aggregation can see the corresponding warning information customization mapping

You can customize mapping through the API. (This is best before the data start index, because the data index will be dynamically set mapping, and then modify the occurrence of some conflicts) the newly added fields can continue to be increased by modifying the mapping. ES supports one index multiple type,mapping can also be targeted at index for a single type.
Example:

Curl-xput http://localhost:9200/business-index-*/_mapping/biz-d '
{'
 properties ': {
    ' uri ': {' type ': ' String "," index ":" Not_analyzed "},
    " user ": {" type ":" string "," index ":" Not_analyzed "},
    " keyword ": {" type ":" s Tring "," index ":" Not_analyzed "},
    " ResponseStatus ": {" type ":" Integer "},
    " ResponseTime ": {" type ":" Long "}
 }
}';

Custom Template

For the identified index, we can achieve our goal by means of mapping. For example: The index of merchandise, this index will not change, inside the data document will be added or deleted to check, but the index is always there.
But for data like log and data analysis, the data will increase at an alarming rate, which is unrealistic if placed in one index. So elk has the "time-based index pattern", which can be used to generate a index file daily or monthly. For example Logstash log: logstash-2016.08.20 for this scenario, you need to introduce a higher level of configuration: Index Template
Examples of setting up your own template are as follows:

Curl-xput http://localhost:9200/_template/business-d '
{
    template ': ' business* ',
    ' settings ': {
        ' Number_of_shards ': 1
    },
    ' mappings ': {' _default_ ': {'
            Properties ': {
                ' uri ': {'
                    type ': ' String ",
                    " index ":" Not_analyzed "
                },
                " user ": {
                    " type ":" string ",
                    " index ":" Not_analyzed "
                },
                "keyword": {
                    "type": "string",
                    "index": "Not_analyzed"
                },
                "ResponseStatus": {
                    ' type ': ' Integer '
                },
                ' ResponseTime ': {
                    ' type ': ' Long '}}}
';

The settings and mappings is applied to any index name that matches the business* template