WARNING: The 2.x versions of Elasticsearch have passed their EOL dates. If you are running a 2.x version, we strongly advise you to upgrade.
This documentation is no longer maintained and may be removed. For the latest information, see the current Elasticsearch documentation.
Index Templatesedit
Elasticsearch doesn’t require you to create an index before using it. With logging, it is often more convenient to rely on index autocreation than to have to create indices manually.
Logstash uses the timestamp from an event to derive the index name. By
default, it indexes into a different index every day, so an event with a
@timestamp
of 2014-10-01 00:00:01
will be sent to the index
logstash-2014.10.01
. If that index doesn’t already exist, it will be
created for us.
Usually we want some control over the settings and mappings of the new index.
Perhaps we want to limit the number of shards to 1
, and we want to disable the
_all
field. Index templates can be used to control which settings should be
applied to newly created indices:
PUT /_template/my_logs { "template": "logstash-*", "order": 1, "settings": { "number_of_shards": 1 }, "mappings": { "_default_": { "_all": { "enabled": false } } }, "aliases": { "last_3_months": {} } }
Create a template called |
|
Apply this template to all indices beginning with |
|
This template should override the default |
|
Limit the number of primary shards to |
|
Disable the |
|
Add this index to the |
This template specifies the default settings that will be applied to any index
whose name begins with logstash-
, whether it is created manually or
automatically. If we think the index for tomorrow will need more capacity than
today, we can update the index to use a higher number of shards.
The template even adds the newly created index into the last_3_months
alias, although
removing the old indices from that alias will have to be done manually.