We're updating the issue view to help you get more done. 

Error in new ElasticSearch index template support

Description

The new ElasticSearch template support in 1.3 seems to create mappings like this:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 eventlog_severity: { type: multi_field fields: { eventlog_severity: { omit_norms: true index_options: docs type: string } eventlog_severity.raw: { include_in_all: false index: not_analyzed ignore_above: 256 omit_norms: true index_options: docs type: string } } }

Notice that the two parts of the multi_field are named eventlog_severity and eventlog_severity.raw. To access the raw field, I have to refer to it as "eventlog_severity.eventlog_severity.raw" instead of "eventlog_severity.raw".

According to the ES docs, this multi_field should be defined something like this instead:

1 2 3 4 5 6 7 mapping: { type: "multi_field" fields: { {name}: { ... } raw: { ... } } }

That is, in my case, the two parts should be named "eventlog_severity" and "raw", and should be accessed as "eventlog_severity" and "eventlog_severity.raw".

Update: I am using Logstash 1.3.1 and ElasticSearch 0.90.7.

Environment

None

Status

Assignee

Aaron Mildenstein

Reporter

Lucas Pimentel

Fix versions

Affects versions

1.3.1

Priority