Create a logs@custom index template reference #3593
Conversation
|
A documentation preview will be available soon: |
|
This pull request does not have a backport label. Could you fix it @mdbirnstiehl? 🙏
|
mergify
bot
added
the
backport-skip
mdbirnstiehl
added
backport-8.12
|
@eyalkoren @ruflin I've created this PR as a first iteration for the logs@custom reference to show how to update the |
| * `logs@custom` | ||
| * `ecs@mappings` | ||
|
|
||
| You can use the `@custom` component template to customize your {es} indices. The `logs@custom` template is not installed by default, but you can create a template named `logs@custom` to override and extend default mappings or settings. |
There was a problem hiding this comment.
I currently get this error because logs@custom doesn't exist. I'm using this version of the stack 8.13.0-f56d9bd5-SNAPSHOT released on 2024-02-05
{
"statusCode": 400,
"error": "Bad Request",
"message": "index_template [simulate_template_cjga1q24s0swusgjolwsba] invalid, cause [index template [simulate_template_cjga1q24s0swusgjolwsba] specifies component templates [logs@custom] that do not exist]",
"attributes": {
"error": {
"root_cause": [
{
"type": "invalid_index_template_exception",
"reason": "index_template [simulate_template_cjga1q24s0swusgjolwsba] invalid, cause [index template [simulate_template_cjga1q24s0swusgjolwsba] specifies component templates [logs@custom] that do not exist]"
}
],
"type": "invalid_index_template_exception",
"reason": "index_template [simulate_template_cjga1q24s0swusgjolwsba] invalid, cause [index template [simulate_template_cjga1q24s0swusgjolwsba] specifies component templates [logs@custom] that do not exist]"
}
}
}
There was a problem hiding this comment.
I've encountered this at some point (see thread) but couldn't replicate it today after testing several versions (didn't test snapshots)
There was a problem hiding this comment.
@gbamparop I could use someone else trying the latest snapshot to see if it is just me or we need to open a bug about this.
There was a problem hiding this comment.
@gbamparop I have added some more info to this thread so that someone else can replicate it.
| You can update the `default_field` to search in the `message` field instead of all fields using the `logs@custom` component template. | ||
|
|
||
| Either create the `logs@custom` template as detailed in the previous section, or edit the existing one to include the following in the *Index settings*: | ||
| Either create the `logs@custom` component template as outlined in the previous section, or add the following code to the *Index settings* of the `logs` index template: |
There was a problem hiding this comment.
@ruflin, what do you think about this sentence?
Personally, I wouldn't suggest fiddling with the logs index template but only changing the custom component template.
Thoughts? @gbamparop
There was a problem hiding this comment.
I think maybe the initial sentence wasn't clear. My initial intention was to say "Create a logs@custom component template and add the following to the index settings. If you've already created a logs@custom component template, you can edit it and add the following to the index settings." I didn't mean to suggest editing the logs template.
There was a problem hiding this comment.
ok. sorry it wasn't 100% clear.
I would rephrase as "If you don't already have a logs@custom component template you can create it manually. Once you have it, you can add the following to the settings section"
There was a problem hiding this comment.
Thanks for pointing it out. I updated it to be clear and add steps for updating the template. I guess because of the way the search works, you can't search for anything using the "@" symbol? or it throws the error:
Not sure if there's an underlying reason for this, but it does make it pretty difficult to find any custom templates.
There was a problem hiding this comment.
@mdbirnstiehl Yes, I have experienced this. You can't search for "logs@custom". Either for logs or for custom and then iterate through the many pages
There was a problem hiding this comment.
That sounds like a bug especially as we use it in our names. Has anyone reported this? If not, lets do it.
|
@mdbirnstiehl thanks for the changes. I just have two questions left on this PR, as soon as we have an answer to them we can merge this PR |
|
@mdbirnstiehl just to summarize:
Those bugs are unrelated to this PR. so I have approved this PR now. |
|
/test |
|
run docs-build |
(cherry picked from commit ecf1c57)
(cherry picked from commit ecf1c57) # Conflicts: # docs/en/observability/logs-checklist.asciidoc
…3649) * Create a logs@custom index template reference (#3593) (cherry picked from commit ecf1c57) # Conflicts: # docs/en/observability/logs-checklist.asciidoc * resolve merge conflicts * Update docs/en/observability/logs-checklist.asciidoc --------- Co-authored-by: Mike Birnstiehl <114418652+mdbirnstiehl@users.noreply.github.com> Co-authored-by: Colleen McGinnis <colleen.mcginnis@elastic.co>
this PR closes #3393
Create a log@custom index template guide that also references how to update the
default_fieldtomessageafter an update has changed the default behavior to[*].