The Elasticsearch 2.0 release intruced a major annoyance by removing support for dots in field names. We use ES for our apache logs, with retention policy of 365 days, and of course _all_ of the indices contained fields with a dot in the name.
What’s even worse, at some point in time i had the idea to filter out the request parameters from the uri and run a kv filter on it. As we never used the resulting mess of request_params.* fields, those could just be dropped.
First step was to update our logstash configuration so no dots are used for field names.
Then we needed an automated way of re-indexing all of our indices, replacing all dots (.) with underscore (_) in the field names, dropping irrelevant fileds and move all data into a new index. I came up with method using logstash and a ruby filter, wrapped in a bash script that iterates over all indices, sed’ing the index name into below template, an running logstash with it. Logstash will shutdown itself after the index is read in completely.