Not Analysed log fields in ElasticSearch

orchestrator
i_considering
elasticsearch

#1

Right now we don’t send this property when the pattern is created. All the log fields, other than message, should be not_analysed and the filed added using Add Log Fields activity should have the option to toggle this property.


#2

Agree. But there is a workaround using elasticsearch templates.


#3

@b_s Tell us more :slight_smile:


#4

We need not_analysed fields for our kibana reports. Because of missing feature Teodor mentioned we had to create these fields using elasticsearch templates created with curl.
It works and is ok because you do not add new fields for a process every day :wink:
But of course i would prefer an update of activity addlogfields if possible.


#5

@b_s can you share with us the mapping command?
how are you dealing with the different indexes? Every month a new index is created, this is why I’m asking.


#6

With Orchestrator 2016.2 we use

curl -XPUT --noproxy SERVER “http://SERVER:9200/_template/TEMPLATENAME*” --data “{“template”:“INDEXNAME”,“order”:1,“mappings”:{“logEvent”:{“properties”:{“TransactionGuid”:{“type”:“string”,“index”:“not_analyzed”},“TransactionMessage”:{“type”:“string”,“index”:“not_analyzed”}}}}}”

to create fields TransactionGuid and TransactionMessage “not analysed”.

You can define TEMPLATENAME yourself. Use * in the end.
INDEXNAME is tenant name using lower case letters and without blanks.
Restarting elasticsearch is necessary.

For each new created index which name starts with TEMPLATENAME these defined fields are created automatically.