I've set up an Elastic Stack 5.3 to aggregate logs from a bunch of servers, with Filebeat in each of the servers scraping the logs and sending them to a centralised Logstash, Elasticsearch and Kibana.
I've set up my Logstash configuration to extract some custom string fields but I wish to change the index template to change their type from "text" to "keyword". I've found the configuration directives to specify my own template, but where can I find Logstash's default template so I can use it as a starting point? I've searched under /etc/logstash and /usr/share/logstash (I've installed a vanilla Logstash 5.3 RPM on RHEL 7) but couldn't find anything.
Any good example of how to create a non-standard index template on logstash 5.x would be really handy; most of the examples I have found predate Beats and the new string types in 5.x. The documentation leaves something to be desired.
The default elasticsearch index template can be found in the logstash-output-elasticsearch plugin repository at https://github.com/logstash-plugins/logstash-output-elasticsearch/tree/master/lib/logstash/outputs/elasticsearch
You'll find different templates in there, for ES 2.x, 5.x and 6.x, the one you're looking for is probably the 5.x one.