1

I'm trying to add a default-mapping.json file but I'm not sure if it is read. How can I properly test it? And if it is failing to be read, how do I specify Elasticsearch to read that file? This is the file in /etc/default:

# Run Elasticsearch as this user ID and group ID
#ES_USER=elasticsearch
#ES_GROUP=elasticsearch

# Heap Size (defaults to 256m min, 1g max)
#ES_HEAP_SIZE=2g

# Heap new generation
#ES_HEAP_NEWSIZE=

# max direct memory
#ES_DIRECT_SIZE=

# Maximum number of open files, defaults to 65535.
#MAX_OPEN_FILES=65535

# Maximum locked memory size. Set to "unlimited" if you use the
# bootstrap.mlockall option in elasticsearch.yml. You must also set
# ES_HEAP_SIZE.
#MAX_LOCKED_MEMORY=unlimited

# Maximum number of VMA (Virtual Memory Areas) a process can own
#MAX_MAP_COUNT=262144

# Elasticsearch log directory
#LOG_DIR=/var/log/elasticsearch

# Elasticsearch data directory
#DATA_DIR=/var/lib/elasticsearch

# Elasticsearch work directory
#WORK_DIR=/tmp/elasticsearch

# Elasticsearch configuration directory
#CONF_DIR=/etc/elasticsearch

# Elasticsearch configuration file (elasticsearch.yml)
#CONF_FILE=/etc/elasticsearch/elasticsearch.yml

# Additional Java OPTS
#ES_JAVA_OPTS=

# Configure restart on package upgrade (true, every other setting will lead to not restarting)
#RESTART_ON_UPGRADE=true

And then this is the default-mapping.json placed in the /etc/elasticsearch

{
    "_default_": {
        "_all": { "enabled": false },
        "_source": { "compress": true },
         "properties" : {
            "message" : { "type" : "string", "index" : "analyzed" },
            "source_host" : { "type" : "string", "index" : "not_analyzed" },
            "tags": { "type": "string", "index" : "not_analyzed" },
            "@timestamp" : { "type" : "date", "index" : "not_analyzed" },
            "type" : { "type" : "string", "index" : "not_analyzed" }
        }
    }
}
Improve this question
2
  • What are you trying to do here? Why would you add fields in the default mapping file? Commented Aug 5, 2014 at 0:04
  • When I query the fields in Kibana, I don't want it to be tokenized by whitespace and not lowercased. Commented Aug 5, 2014 at 18:38

2 Answers 2

Reset to default
3

The good way to create a default mapping in elasticsearch is via templates, here is what yours would look like:

{
    "template_11": {
        "template": "*",
        "mappings": {
            "_default_": {
                "_all": {
                    "enabled": false
                },
                "_source": {
                    "compress": true
                },
                "properties": {
                    "message": {
                        "type": "string",
                        "index": "analyzed"
                    },
                    "source_host": {
                        "type": "string",
                        "index": "not_analyzed"
                    },
                    "tags": {
                        "type": "string",
                        "index": "not_analyzed"
                    },
                    "@timestamp": {
                        "type": "date",
                        "index": "not_analyzed"
                    },
                    "type": {
                        "type": "string",
                        "index": "not_analyzed"
                    }
                }
            }
        }
    }
}

Put this template inside $config_dir/templates/template_11.json

If you're unsure what is your path, check https://stackoverflow.com/a/23338461/1619406

For example, mine was /usr/share/elasticsearch/config/templates/templates_11.json

Now, every time you create a new index, it will use this template as the default mapping.

Hope this helps,

References:

Index Template

Default Mapping

Update: the aforementioned answer is no longer applicable for versions 2.x or 5.x according to this answer, which references these two links in documentation, and discussion.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'm trying to make the fields in Kibana not be tokenizing on whitespace, but it seems to not be working. How should I properly test what the problem is?
You can also use the api to put your templates. Check here: elastic.co/guide/en/elasticsearch/reference/current/…
0

Test the analyzer used on the indexing the field value using the /analyze endpoint.

curl -s -XGET 'http://localhost:9200/url-test/_analyze?text=http://example.com&pretty'

You need to define a raw field(not analyzed) to search 

"fieldname": {
          "type": "string",
          "norms": {
            "enabled": false
          },
          "fielddata": {
            "format": "disabled"
          },
          "fields": {
             "raw" : {"type": "string",
                      "index" : "not_analyzed",
                      "doc_values" : true,
                      "ignore_above" : 256
                     }
               }
        },
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.