In the ES 2.X days – my custom analyzer YML could live in the node elasticsearch.yml file and all elements in their were available to any other templates. So I could freely reference my custom analyzer in the Graylog UI when creating a new index set.
Now in 5.X - that code has to live in templates as well in the “settings” area (and be in the same template adjacent to the custom mappings as far as I can tell?). So I make custom templates hitting “*” and my index naming to define those analyzers and mappings ahead of time – but when I try to set the analyzer in Graylog to the custom one – the default template Graylog creates for the index will fail since the analyzer is unknown.
My workaround is to just set the UI to standard and in my custom templates for the indices override the “message” and “full_message” to my analyzer – But this seems hacky.
Is this the appropriate route?
Thanks,
Nick
On a side note: In general, has anyone else dealt with these former custom analyzers in node configs? I’m looking at an annoying reindexing activity unless I can figure out how to let my indices know about my analyzer (very annoying chicken and egg issue – I try to load in the analyzer into all index settings retroactively per the upgrade conversion guide, fails because the index has a mapper set to the analyzer I’m trying to load in that it doesn’t know about…seems dumb to me that settings changes fail due to mapper exceptions)