Elasticsearch _default_--Adding a default mapping for an index

As stated in the previous article, ES can automatically index documents. But here's the problem-- What if the index of the default setting isn't what we want?

To know es this search engine is the actual partition with index, index contains different types, different types are logical partitions, each type may contain the same field, if the type of field is the same OK, if different .... That will cause a conflict in the field.

This article describes how to set the default index using the REST API and Logstash .

More content reference: Elasticsearch Knowledge Summary

Setting the default index using the rest API

First look at what happens when we want to index the field of an IP address when we don't set the default index? Enter the following command:

$ curl-xput localhost:9200/test/test/1'{"IP": "192.168.0.1"}'

Viewing the mappings reveals that we want to store them as IP types, but by default they are stored as String types:

$ curl-xget localhost:9200/test/_mapping?Pretty {"Test" : {    "Mappings" : {      "Test" : {        "Properties" : {          "IP" : {            "type":"string"          }        }      }    }  }}

That's not what we want.

As soon as the mapping is set, it cannot be modified. So when you experiment again, you need to delete the index test

$ curl-xdelete localhost:9200/test                        
{"acknowledged":True}

Then set the default mapping for test:

$ curl-xput localhost:9200'{"mappings": {"_default_": {"Properties": {"IP": {"type": "IP"}}}}  '

In the above command, set the test index, the default field IP property is IP. This way, when we query the mapping of test, we find that the IP field has been set to IP:

$ curl-xget localhost:9200/test/_mapping?Pretty {"Test" : {    "Mappings" : {      "_default_" : {        "Properties" : {          "IP" : {            "type":"IP"          }        }      }    }  }}

Then insert a piece of data, in order to observe the changes in the mapping after inserting the data, you can insert more than one field:

$ curl-xput localhost:9200/test/test/2'{"name": "Xingoo", "IP": "192.168.0.1"}  '

The query map can then be read to the default mapping information as well as the current mapping information:

$ curl-xget localhost:9200/test/_mapping?Pretty {"Test" : {    "Mappings" : {      "Test" : {        "Properties" : {          "IP" : {            "type":"IP"          },          "name" : {            "type":"string"          }        }      },      "_default_" : {        "Properties" : {          "IP" : {            "type":"IP"          }        }      }    }  }}

Congratulations ~ip the type of the field has become an IP, similar to the type we can set Date,geo,object.

Configuring the default index in Logstash

The default index setting in Logstash is based on the template, which is similar in principle.

First we need to specify a default mapping file, the contents of the file are as follows:

{  "Template":"logstash-*",  "Mappings" : {    "_default_" : {       "Properties" : {             "IP" :{                  "type":"IP"             }          }       }    }}    

Where template defines the matching index pattern, and if it is specific to a particular index, it is written directly to the name of the index. The following defines the information about the mapping, which is the same as the contents of the API.

With the above configuration file, you can configure the output plug-in in Logstash:

Output {elasticsearch {host="localhost"#ES的服务器地址 Protocol="http"#使用的协议, node may be used by default, depending on the environment of the machine index="logstash-%{+yyyy. MM.DD}"#匹配的索引模式 Document_type="Test"#索引的类型, the old configuration uses Index_type, but this field has been deprecated in the new version, and Document_type is recommended Manage_template=true#注意默认为true, must not be set to False Template_overwrite=true#如果设置为true, when the template name is the same, the new template will overwrite the old template template_name="Mylogstash"#注意这个名字是用来查找映射配置的, try to set it as a globally unique template="d:/test/logstash.conf"#映射配置文件的位置}}

The latter four is the use of the default mapping need to pay attention to the place, detailed can learn more about Logstash source.

Reference

"1" _default_ Mapping: https://www.elastic.co/guide/en/elasticsearch/reference/current/default-mapping.html

"2" Elasticsearch output plugin: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html

"3" Elk ebook: http://kibana.logstash.es/content/logstash/plugins/output/elasticsearch.html

Elasticsearch _default_--Adding a default mapping for an index