Does Graylog use OpenSearch Index Templates? I’m not seeing any.
I need to set up an OpenSearch index template pattern to apply a setting to all new indices that are created in one of our index sets… can I do this without affecting the normal settings that Graylog specifies when the index set is rotated and it creates the next index for writing? I’m not sure exactly how Graylog creates new indices.
What happens with I create a field type mapping or apply a field type profile - does Graylog put these in an OpenSearch index template, or just incorporate the field type settings when it creates each new index directly?
I found what looks to be the OpenSearch legacy templates maintained by Graylog for our index sets in http://localhost:9200/_template. There is one for each index set named “index_set_prefix-template”.
Can we alter these and not have Graylog overwrite them and remove the extra settings I put in?
5.2 docs cover this here Elasticsearch (Custom Index Mappings section toward the bottom). I’ve done this in the past and it works as intended. You don’t overwrite the existing default template but add a new one with a different name, using the index_patterns param to apply to the graylog indices.
You install templates using the opensearch/elasticsearch REST api, the docs have an example but you can find more info in the opensearch/elasticsearch docs.
Side note: these days they use the term Index Set Templates for a completely different feature, data tiering configuration. I was initially confused by that!
