Updating Elasticsearch Templates to Work with Elasticsearch 5.x

To update your existing Elasticsearch templates for each sensor so any new indexes have the appropriate field, perform the following steps:

  1. Update the Elasticsearch template for each sensor, so any new indice will have the alert field.

    1. Retrieve the template:

      $SENSOR can contain wildcards, so if rollover has occurred, it's not necessary to do each index individually. The following example appends index* to get all indexes for the provided sensor.

      export ELASTICSEARCH="node1"
       export SENSOR="bro"
       curl -XGET "http://${ELASTICSEARCH}:9200/_template/${SENSOR}_index*?pretty=true" -o "${SENSOR}.template"
    2. Remove an extraneous JSON field so you can put it back later, and add the alert field

      sed -i '' '2d;$d' ./${SENSOR}.template
       sed -i '' '/"properties" : {/ a\
       "alert": { "type": "nested"},' ${SENSOR}.template
  2. Verify your changes:

    python -m json.tool bro.template
  3. Add the template back into Elasticsearch:

    curl -XPUT "http://${ELASTICSEARCH}:9200/_template/${SENSOR}_index" -d @${SENSOR}.template