metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Houshang Livian <>
Subject Re: [DISCUSS] Management of Elastic and other index schemas
Date Fri, 17 Feb 2017 18:28:59 GMT
If we had a UI to switch types for existing fields in a template, would that work? 

What else is necessary?

On 2/17/17, 10:22 AM, "Simon Elliston Ball" <> wrote:

>A little while ago the issue of managing Elastic templates for new sensor configs came
up, and we didn’t quite put it to bed. 
>When creating new sensors, I almost invariably find the auto-generated schemas for elastic
pick some incorrect types. I also find I have to recreate indexes every time to push in the
proper dynamic templates for things like geo enrichment fields. 
>So, my questions are:
>How should we address elastic template for new sensors? 
>Do we have circumstances where we would need to configure types, or can we get away with
inferring them?
>Should we just add some additional dynamic templates to cover our common fields like timestamp
(the most common culprit I find for incorrect typing)?
>I’d also like to think about ways we can generalise this. Does anyone have any thoughts
on what sort of additional index schemes we should want to infer (solr seems an obvious one,
any others?).
>Thoughts on a well typed, schemaed and easily indexed postcard please :)
View raw message