Error in new ElasticSearch index template support


The new ElasticSearch template support in 1.3 seems to create mappings like this:

Notice that the two parts of the multi_field are named eventlog_severity and eventlog_severity.raw. To access the raw field, I have to refer to it as "eventlog_severity.eventlog_severity.raw" instead of "eventlog_severity.raw".

According to the ES docs, this multi_field should be defined something like this instead:

That is, in my case, the two parts should be named "eventlog_severity" and "raw", and should be accessed as "eventlog_severity" and "eventlog_severity.raw".

Update: I am using Logstash 1.3.1 and ElasticSearch 0.90.7.



Aaron Mildenstein


Lucas Pimentel

Fix versions

Affects versions