use doc_values for most fields in audit indices

This changes the mappings for the audit indices to use doc_values for all fields other than the request_body, which will have a lot of variance. Additionally, the request_body field is no longer indexed. Closes elastic/elasticsearch#918 Original commit: elastic/x-pack-elasticsearch@4917529ffa
2025-03-30 03:48:54 +00:00 · 2015-06-23 08:21:06 -04:00 · 2015-06-23 08:21:06 -04:00 · d65bfd1721
commit d65bfd1721
parent f0d5c2da61
1 changed files with 34 additions and 17 deletions
--- a/src/main/resources/shield_audit_log.json
+++ b/src/main/resources/shield_audit_log.json
@ -13,70 +13,87 @@
      "properties": {
        "@timestamp": {
          "type": "date",
-          "format": "date_time"
+          "format": "date_time",
          "doc_values": true
        },
        "node_name": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "node_host_name": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "node_host_address": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "layer": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "event_type": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "origin_address": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "origin_type": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "principal": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "action": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "indices": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "request": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "request_body": {
-          "type": "string"
+          "type": "string",
          "index": "no"
        },
        "uri": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "realm": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "transport_profile": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        },
        "rule": {
          "type": "string",
-          "index": "not_analyzed"
+          "index": "not_analyzed",
          "doc_values": true
        }
      }
    }