Logs index template reference

Index templates are used to configure the backing indices of data streams as they’re created. These index templates are composed of multiple component templates—reusable building blocks that configure index mappings, settings, and aliases.

You can view the default logs index template in Kibana. Navigate to Stack Management → Index Management → Index Templates, and search for logs. Select the logs index templates to view relevant component templates.

The default logs index template for the logs-*-* index pattern is composed of the following component templates:

You can use the logs@custom component template to customize your Elasticsearch indices. The logs@custom component template is not installed by default, but you can create a component template named logs@custom to override and extend default mappings or settings. To do this:

Changes to component templates are not applied retroactively to existing indices. For changes to take effect, create a new write index for impacted data streams by triggering a rollover. Do this using the Elasticsearch Rollover API. For example, to roll over the logs-generic-default data stream, run:

POST /logs-generic-default/_rollover/

The logs index template uses default_field: [*] meaning queries without specified fields will search across all fields. You can update the default_field to search in the message field instead of all fields using the logs@custom component template.

If you haven’t already created the `logs@custom`component template, create it as outlined in the previous section. Then, follow these steps to update the Index settings of the component template: