The new ElasticSearch template support in 1.3 seems to create mappings like this:
Notice that the two parts of the multi_field are named eventlog_severity and eventlog_severity.raw. To access the raw field, I have to refer to it as "eventlog_severity.eventlog_severity.raw" instead of "eventlog_severity.raw".
According to the ES docs, this multi_field should be defined something like this instead:
That is, in my case, the two parts should be named "eventlog_severity" and "raw", and should be accessed as "eventlog_severity" and "eventlog_severity.raw".
Update: I am using Logstash 1.3.1 and ElasticSearch 0.90.7.