I’d like to exclude fields from the _source but can’t find a document on how to update the index template to exclude fields in _source.
GET _template/filebeat-swift-v1-object-server
# response
{
"filebeat-swift-v1-object-server" : {
"order" : 200,
"index_patterns" : [
"filebeat-swift-v1-object-server-*"
],
"settings" : {
"index" : {
"mapping" : {
"total_fields" : {
"limit" : "10000"
}
},
"refresh_interval" : "300s",
"number_of_shards" : "5",
"max_docvalue_fields_search" : "200",
"query" : {
"default_field" : [
"sysloghost",
"severity",
"programname",
"request_method",
"status_int",
"transaction_id",
"source",
"policy_index",
"wire_status_int",
"host.name",
"account_keyword",
"container_keyword",
"object_keyword",
"fields.*"
]
},
"knn" : "true",
"number_of_replicas" : "0"
}
},
"mappings" : {
"_meta" : {
"beat" : "filebeat",
"version" : "7.10.2"
},
"dynamic_templates" : [
{
"strings_as_keyword" : {
"mapping" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"match_mapping_type" : "string"
}
}
],
"date_detection" : false,
"properties" : {
"container" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"msg" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"referer" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"reason" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"bytes_recvd_l" : {
"type" : "long"
},
"ed_time" : {
"type" : "date"
},
"log_info" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"programname" : {
"ignore_above" : 64,
"type" : "keyword"
},
"request_method" : {
"ignore_above" : 8,
"type" : "keyword"
},
"source" : {
"ignore_above" : 8,
"type" : "keyword"
},
"wire_status_int" : {
"ignore_above" : 4,
"type" : "keyword"
},
"request_time" : {
"type" : "float"
},
"client_etag" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"protocoli" : {
"ignore_above" : 16,
"index" : false,
"type" : "keyword"
},
"host" : {
"properties" : {
"name" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
},
"client_ip" : {
"type" : "ip"
},
"sysloghost" : {
"ignore_above" : 64,
"type" : "keyword"
},
"container_keyword" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"user_agent" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"object_keyword" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"server_pid" : {
"index" : false,
"type" : "long"
},
"transaction_id" : {
"norms" : false,
"type" : "text"
},
"severity" : {
"ignore_above" : 16,
"type" : "keyword"
},
"headers" : {
"properties" : { }
},
"remote_addr" : {
"type" : "ip"
},
"bytes_sent_l" : {
"type" : "long"
},
"account_keyword" : {
"ignore_above" : 1024,
"type" : "keyword"
},
"st_time" : {
"type" : "date"
},
"ttfb_f" : {
"type" : "float"
},
"policy_index" : {
"ignore_above" : 3,
"type" : "keyword"
},
"end_time" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"reserve1" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"reserve2" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"message" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"status_int" : {
"ignore_above" : 4,
"type" : "keyword"
},
"start_time" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"@timestamp" : {
"type" : "date"
},
"content_length_l" : {
"type" : "long"
},
"transfer_speed_long" : {
"type" : "long"
},
"additional_info" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"request_path" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"auth_token" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"account" : {
"norms" : false,
"index" : false,
"type" : "text"
},
"object" : {
"norms" : false,
"index" : false,
"type" : "text"
}
}
},
"aliases" : { }
}
}
Thanks // Hugo