From 1b24883ce1230dd10144396e13de2b1c4306fe5b Mon Sep 17 00:00:00 2001
From: Chris Earle <pickypg@users.noreply.github.com>
Date: Wed, 18 Nov 2015 11:34:12 -0500
Subject: [PATCH] Disable fielddata use for analyzed strings

By default, users should not be sorting, aggregating, or scripting against the analyzed string variant of fields. Instead, users should do those things against the `.raw` multifield variant.

This _will_ prevent the use of `significant_terms` aggregation against the associated field, which will be undesirable in rare cases. Given the rarity of that need, I would much rather have those users manually enable fielddata explicitly for the field (it is dynamically updatable!).
---
 .../outputs/elasticsearch/elasticsearch-template.json         | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/logstash/outputs/elasticsearch/elasticsearch-template.json b/lib/logstash/outputs/elasticsearch/elasticsearch-template.json
index 1be0dccd2..0126c7111 100644
--- a/lib/logstash/outputs/elasticsearch/elasticsearch-template.json
+++ b/lib/logstash/outputs/elasticsearch/elasticsearch-template.json
@@ -11,7 +11,8 @@
           "match" : "message",
           "match_mapping_type" : "string",
           "mapping" : {
-            "type" : "string", "index" : "analyzed", "omit_norms" : true
+            "type" : "string", "index" : "analyzed", "omit_norms" : true,
+            "fielddata" : { "format" : "disabled" }
           }
         }
       }, {
@@ -20,6 +21,7 @@
           "match_mapping_type" : "string",
           "mapping" : {
             "type" : "string", "index" : "analyzed", "omit_norms" : true,
+            "fielddata" : { "format" : "disabled" },
             "fields" : {
               "raw" : {"type": "string", "index" : "not_analyzed", "doc_values" : true, "ignore_above" : 256}
             }