[SOLVED] How to disable _source from index template?

I’d like to exclude fields from the _source but can’t find a document on how to update the index template to exclude fields in _source.

GET _template/filebeat-swift-v1-object-server

# response
{
  "filebeat-swift-v1-object-server" : {
    "order" : 200,
    "index_patterns" : [
      "filebeat-swift-v1-object-server-*"
    ],
    "settings" : {
      "index" : {
        "mapping" : {
          "total_fields" : {
            "limit" : "10000"
          }
        },
        "refresh_interval" : "300s",
        "number_of_shards" : "5",
        "max_docvalue_fields_search" : "200",
        "query" : {
          "default_field" : [
            "sysloghost",
            "severity",
            "programname",
            "request_method",
            "status_int",
            "transaction_id",
            "source",
            "policy_index",
            "wire_status_int",
            "host.name",
            "account_keyword",
            "container_keyword",
            "object_keyword",
            "fields.*"
          ]
        },
        "knn" : "true",
        "number_of_replicas" : "0"
      }
    },
    "mappings" : {
      "_meta" : {
        "beat" : "filebeat",
        "version" : "7.10.2"
      },
      "dynamic_templates" : [
        {
          "strings_as_keyword" : {
            "mapping" : {
              "ignore_above" : 1024,
              "type" : "keyword"
            },
            "match_mapping_type" : "string"
          }
        }
      ],
      "date_detection" : false,
      "properties" : {
        "container" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "msg" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "referer" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "reason" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "bytes_recvd_l" : {
          "type" : "long"
        },
        "ed_time" : {
          "type" : "date"
        },
        "log_info" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "programname" : {
          "ignore_above" : 64,
          "type" : "keyword"
        },
        "request_method" : {
          "ignore_above" : 8,
          "type" : "keyword"
        },
        "source" : {
          "ignore_above" : 8,
          "type" : "keyword"
        },
        "wire_status_int" : {
          "ignore_above" : 4,
          "type" : "keyword"
        },
        "request_time" : {
          "type" : "float"
        },
        "client_etag" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "protocoli" : {
          "ignore_above" : 16,
          "index" : false,
          "type" : "keyword"
        },
        "host" : {
          "properties" : {
            "name" : {
              "ignore_above" : 1024,
              "type" : "keyword"
            }
          }
        },
        "client_ip" : {
          "type" : "ip"
        },
        "sysloghost" : {
          "ignore_above" : 64,
          "type" : "keyword"
        },
        "container_keyword" : {
          "ignore_above" : 1024,
          "type" : "keyword"
        },
        "user_agent" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "object_keyword" : {
          "ignore_above" : 1024,
          "type" : "keyword"
        },
        "server_pid" : {
          "index" : false,
          "type" : "long"
        },
        "transaction_id" : {
          "norms" : false,
          "type" : "text"
        },
        "severity" : {
          "ignore_above" : 16,
          "type" : "keyword"
        },
        "headers" : {
          "properties" : { }
        },
        "remote_addr" : {
          "type" : "ip"
        },
        "bytes_sent_l" : {
          "type" : "long"
        },
        "account_keyword" : {
          "ignore_above" : 1024,
          "type" : "keyword"
        },
        "st_time" : {
          "type" : "date"
        },
        "ttfb_f" : {
          "type" : "float"
        },
        "policy_index" : {
          "ignore_above" : 3,
          "type" : "keyword"
        },
        "end_time" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "reserve1" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "reserve2" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "message" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "status_int" : {
          "ignore_above" : 4,
          "type" : "keyword"
        },
        "start_time" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "@timestamp" : {
          "type" : "date"
        },
        "content_length_l" : {
          "type" : "long"
        },
        "transfer_speed_long" : {
          "type" : "long"
        },
        "additional_info" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "request_path" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "auth_token" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "account" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "object" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        }
      }
    },
    "aliases" : { }
  }
}

Thanks // Hugo

I figured it out by this JSON body. The “enabled”:false works. The “includes” can do it even better for my case.

{
    "index_patterns" : [
      "filebeat-swift-v1-object-server-*"
    ],
    "settings" : {
      "index" : {
        "mapping" : {
          "total_fields" : {
            "limit" : "10000"
          }
        },
        "refresh_interval" : "300s",
        "number_of_shards" : "180",
        "max_docvalue_fields_search" : "200",
        "query" : {
          "default_field" : [
            "sysloghost",
            "severity",
            "programname",
            "request_method",
            "status_int",
            "transaction_id",
            "source",
            "policy_index",
            "wire_status_int",
            "host.name",
            "account_keyword",
            "container_keyword",
            "object_keyword",
            "fields.*"
          ]
        },
        "knn" : "true",
        "number_of_replicas" : "0"
      }
    },
    "mappings" : {
      "_source" : { 
        "includes": [
          "programname",
          "request_method",
          "status_int",
          "transaction_id",
          "sysloghost"
        ]
      },
      "_meta" : {
        "beat" : "filebeat",
        "version" : "7.10.2"
      },
      "dynamic_templates" : [
        {
          "strings_as_keyword" : {
            "mapping" : {
              "ignore_above" : 1024,
              "type" : "keyword"
            },
            "match_mapping_type" : "string"
          }
        }
      ],
      "date_detection" : false,
      "properties" : {
        "container" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "msg" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "referer" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "reason" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "bytes_recvd_l" : {
          "type" : "long"
        },
        "ed_time" : {
          "type" : "date"
        },
        "log_info" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "programname" : {
          "ignore_above" : 64,
          "type" : "keyword"
        },
        "request_method" : {
          "ignore_above" : 8,
          "type" : "keyword"
        },
        "source" : {
          "ignore_above" : 8,
          "type" : "keyword"
        },
        "wire_status_int" : {
          "ignore_above" : 4,
          "type" : "keyword"
        },
        "request_time" : {
          "type" : "float"
        },
        "protocoli" : {
          "ignore_above" : 16,
          "index" : false,
          "type" : "keyword"
        },
        "client_etag" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "host" : {
          "properties" : {
            "name" : {
              "ignore_above" : 1024,
              "type" : "keyword"
            }
          }
        },
        "client_ip" : {
          "type" : "ip"
        },
        "sysloghost" : {
          "ignore_above" : 64,
          "type" : "keyword"
        },
        "container_keyword" : {
          "ignore_above" : 1024,
          "type" : "keyword"
        },
        "user_agent" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "server_pid" : {
          "index" : false,
          "type" : "long"
        },
        "transaction_id" : {
          "norms" : false,
          "type" : "text"
        },
        "object_keyword" : {
          "ignore_above" : 1024,
          "type" : "keyword"
        },
        "severity" : {
          "ignore_above" : 16,
          "type" : "keyword"
        },
        "bytes_sent_l" : {
          "type" : "long"
        },
        "headers" : {
          "properties" : { }
        },
        "remote_addr" : {
          "type" : "ip"
        },
        "account_keyword" : {
          "ignore_above" : 1024,
          "type" : "keyword"
        },
        "st_time" : {
          "type" : "date"
        },
        "ttfb_f" : {
          "type" : "float"
        },
        "end_time" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "reserve1" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "policy_index" : {
          "ignore_above" : 3,
          "type" : "keyword"
        },
        "reserve2" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "message" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "status_int" : {
          "ignore_above" : 4,
          "type" : "keyword"
        },
        "start_time" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "@timestamp" : {
          "type" : "date"
        },
        "content_length_l" : {
          "type" : "long"
        },
        "transfer_speed_long" : {
          "type" : "long"
        },
        "additional_info" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "request_path" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "auth_token" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "account" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        },
        "object" : {
          "norms" : false,
          "index" : false,
          "type" : "text"
        }
      }
    },
    "aliases" : { }
  }
1 Like

Glad you solved it so quickly - and thanks for coming back with the answer @hugok!