Elasticsearch Learning Notes (iv) Mapping mapping
Mapping Brief IntroductionElasticsearch is a schema-less system, but does not represent no shema, but rather guesses the type of field you want based on the underlying type of JSON source data. Mapping is similar to a data type in a static language in Elasticsearch, but the mapping has some other meaning than the data type of the language. Elasticsearch guesses the field mappings you want based on the underlying type of the JSON source data. Converts the entered data into a searchable index entry. Mapping is the data type of the field we define, and tells Elasticsearch how to index the data and whether it can be searched.
mapping of additions and deletions to change the searchElasticsearch can create new mappings based on new fields in the data, and, of course, we can define our own mapping before the formal data is written, and when data is written, it is mapped according to the defined mapping. If subsequent data has other fields, Elasticsearch is automatically processed.
Curl-xput ' http://localhost:9200/logstash-2016.01.01/_mapping '-d '
{
"mappings": {"
syslog": {
" Properties ': {
' @timestamp ': {
' type ': ' Date '
},
' message ': {
' type ': ' String '
},
' PID ': {
' type ': ' Long '}}}
'
Notice here that our existing index is not able to change its mapping, and for existing indexes, the Elasticsearch will automatically process the new fields only when they appear. If you do need to modify the mappings, use Reindex to do so by re-import the data.
ReIndexElasticsearch does not provide rename,mapping, alter, and other operations for indexing. If you need to change the mapping mapping for a field, there are only a few other tools. To rebuild the index with Logstash: In the latest version of the Logstash, the Logstash-input-elasticsearch plug-ins have been modified to make it possible to complete the reconstruction index through Logstash.
DeleteAlthough Elasticsearch will automatically add mappings to the data when it is written, deleting the data does not remove the mapping of the data #curl-xdelete ' http://localhost:9200/logstash-2016.01.01/ Syslog ' removed all the data below the syslog, but the syslog mapping also deletes the mapped command: #curl-xdelete ' http://localhost:9200/logstash-2016.01.01 /_mapping ' Delete index will also delete the map #curl-xdelete ' http://localhost:9200/logstash-2016.01.01 '
View:The most direct way to learn an index is to look at the Logstash writing data to Elasticsearch to generate a meaningful mapping based on the template that comes with it.
elasticsearch Data TypeElasticsearch data type number of Lucene index basis, also we do manual mapping adjustment to the basis. The primary mapping is to set types and type-related parameters for fields. The JSON base type is as follows: string: Number of characters: Byte, short, Integer, long, float, double, time: Date Boolean: True, false arrays: Array Objects: Object Elasticsearch Unique Type: multiple: Multi latitude and Longitude: Geo_point network address: IP Stack object: Nested object binary: Binary attachment: Attachment
Note: The Elasticsearch map has Idnex and type two-tier relationships, but the actual index is based on index. If mapping inconsistencies occur for fields of different types under the same index, although the data can still be successfully written and generated and generated by the respective mapping, But actually the index results in Fielddata are still generated by the first mapping type in index.
custom Field MappingsElasticsearch's mapping provides definitions of the index field names and their data types in Elasticsearch, as well as adding special properties to certain fields: whether the word is participle, whether it is stored, what kind of word breaker to use, and so on.
Exact index:Fields have several basic mapping options, types (type), and Indexing Methods (index). As an example of a string type, index has three options: analyzed: Default option, parse the string, and complete the index in a standard full-text indexing format. Not_analyzed: Accurate index, does not analyze the string, directly indexed the exact content of the field data. No: The field is not indexed. For log files, many fields do not need to be elasticsearch in the analysis of this step, so we can set this:
' Myfieldname ': {
' type ': ' String ',
' index ': ' Not_analyzed '
}
Time Format:@timestamp this time format in the Nginx called $time_iso8601, in the Rsyslog called date-rfc3339, In the Elasticsearch is called Dateoptionaltime. But in fact, Elasticsearch can accept other time formats as the contents of a time field entirely. For Elasticsearch, the Time field content is actually converted to a long type for internal storage. Therefore, the time format of the accepted segment can be set arbitrarily:
@timestamp: {
"type": "Date",
"index": "Not_analyzed",
"doc_values": True,
"format": "Dd/mm/yyyy:hh : Mm:ss Z "
}
Multiple indexes:Multiple indexes are a mapping of logstash user habits, because this is the Logstash default-enabled configuration:
"title": {
"type": "string",
"fields": {"
raw": {"
type": "string",
"index": "Not_analyzed"
}}}
When the title field data is written, Elasticsearch will automatically generate two fields, namely title and Title.raw. In this way, it is possible to need both participle and partial secondary results of the environment, you can very flexible use of different index fields. For example, to see the most commonly used words in the title, you should use the Title field, see the most read the title of the article, should be using the Title.raw field.
Multi-valued field:
blank field:The array can be empty. This is equal to 0 values. In fact, Lucene cannot hold null values, so a null value field is considered to be a Confucius section. The following four fields will be recognized as empty fields without being indexed: "empty_string": "", "Null_value": null, "Empty_array": [], "array_with_null_value": [NULL]
Multi-layer objects:The last natural JSON data type we need to discuss is an object. Internal objects (inner objects) are often used to embed another place in an entity or object. For example
