Logs index template reference

edit

Index templates are used to configure the backing indices of data streams as they’re created. These index templates are composed of multiple component templates—reusable building blocks that configure index mappings, settings, and aliases.

You can view the default logs index template in Kibana. Navigate to Stack ManagementIndex ManagementIndex Templates, and search for logs. Select the logs index templates to view relevant component templates.

Edit the logs index template

edit

The default logs index template for the logs-*-* index pattern is composed of the following component templates:

  • logs@mappings
  • logs@settings
  • logs@custom
  • ecs@mappings

You can use the logs@custom component template to customize your Elasticsearch indices. The logs@custom component template is not installed by default, but you can create a component template named logs@custom to override and extend default mappings or settings. To do this:

  1. Open Kibana and navigate to Stack ManagementIndex ManagementComponent Templates.
  2. Click Create component template.
  3. Name the component template logs@custom.
  4. Add any custom metadata, index settings, or mappings.

Changes to component templates are not applied retroactively to existing indices. For changes to take effect, create a new write index for impacted data streams by triggering a rollover. Do this using the Elasticsearch Rollover API. For example, to roll over the logs-generic-default data stream, run:

POST /logs-generic-default/_rollover/
Set the default_field using the custom template
edit

The logs index template uses default_field: [*] meaning queries without specified fields will search across all fields. You can update the default_field to search in the message field instead of all fields using the logs@custom component template.

If you haven’t already created the `logs@custom`component template, create it as outlined in the previous section. Then, follow these steps to update the Index settings of the component template:

  1. Open Kibana and navigate to Stack ManagementIndex ManagementComponent Templates.
  2. Search for logs and find the logs@custom component template.
  3. Open the Actions menu and select Edit.
  4. Select Index settings and add the following code:

    {
      "index": {
        "query": {
          "default_field": [
            "message"
          ]
        }
      }
    }
  5. Click Next through to the Review page and save the component template.