Also available as:
loading table of contents...

Updating Elasticsearch Templates to Work with Elasticsearch 5.x

To update your existing Elasticsearch templates for each sensor so any new indexes have the appropriate field, perform the following steps:

  1. Update the Elasticsearch template for each sensor, so any new indice will have the alert field.

    1. Retrieve the template:

      $SENSOR can contain wildcards, so if rollover has occurred, it's not necessary to do each index individually. The following example appends index* to get all indexes for the provided sensor.

      export ELASTICSEARCH="node1"
       export SENSOR="bro"
       curl -XGET "http://${ELASTICSEARCH}:9200/_template/${SENSOR}_index*?pretty=true" -o "${SENSOR}.template"
    2. Remove an extraneous JSON field so you can put it back later, and add the alert field

      sed -i '' '2d;$d' ./${SENSOR}.template
       sed -i '' '/"properties" : {/ a\
       "alert": { "type": "nested"},' ${SENSOR}.template
  2. Verify your changes:

    python -m json.tool bro.template
  3. Add the template back into Elasticsearch:

    curl -XPUT "http://${ELASTICSEARCH}:9200/_template/${SENSOR}_index" -d @${SENSOR}.template