How to apply an Elasticsearch index template for Logstash data

Applying an Elasticsearch index template to Logstash indices keeps mappings and index settings consistent, preventing hard-to-debug failures caused by field type drift and mismatched shard or replica defaults.

Composable index templates in Elasticsearch match new indices by index_patterns, merge settings and mappings from all matching templates based on priority, and apply the resulting configuration at index creation time. The Logstash elasticsearch output plugin controls the index name, so the template pattern must match the value used for index.

Templates do not retroactively modify existing indices, so changes take effect only after a new matching index is created (or data is reindexed into a fresh index). Overlapping templates can unintentionally override mappings or settings unless priorities are set deliberately, and secured clusters may require HTTPS plus credentials or an API key for the same API calls.

Steps to apply an Elasticsearch index template for Logstash data:

Create an index template that matches the Logstash index pattern.

$ curl -sS -X PUT "http://elasticsearch.example.net:9200/_index_template/logstash-app" \
  -H "Content-Type: application/json" \
  -d '{
  "index_patterns": ["logstash-app-*"],
  "priority": 200,
  "template": {
    "settings": {
      "index.number_of_shards": 1,
      "index.number_of_replicas": 1
    },
    "mappings": {
      "properties": {
        "@timestamp": { "type": "date" },
        "message": { "type": "text" }
      }
    }
  }
}'
{"acknowledged":true}

Adjust the template name and index_patterns to match the index naming used by Logstash.

Add -u user:password or an Authorization header when the cluster requires authentication.

Set the Logstash output index to match the template pattern.

input {
  file {
    path => "/var/lib/logstash/examples/index-template.log"
    start_position => "beginning"
    sincedb_path => "/var/lib/logstash/sincedb-index-template"
  }
}

output {
  if [log][file][path] == "/var/lib/logstash/examples/index-template.log" {
    elasticsearch {
      hosts => ["http://elasticsearch.example.net:9200"]
      index => "logstash-app-%{+YYYY.MM.dd}"
      manage_template => false
    }
  }
}

The example creates indices like logstash-app-2026.01.07, which matches the logstash-app-* template pattern.

Test the Logstash pipeline configuration.
```
$ sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash --path.data /tmp/logstash-configtest --config.test_and_exit
Configuration OK
```
Configuration test failures indicate syntax or plugin errors that can prevent the service from starting cleanly.

Related: How to test a Logstash pipeline configuration
Restart the Logstash service.
```
$ sudo systemctl restart logstash
```
Related: How to manage the Logstash service with systemctl in Linux

Verify the index template is available in Elasticsearch.

$ curl -sS "http://elasticsearch.example.net:9200/_index_template/logstash-app?pretty"
{
  "index_templates" : [
    {
      "name" : "logstash-app",
      "index_template" : {
        "index_patterns" : [
          "logstash-app-*"
        ],
        "template" : {
          "settings" : {
            "index" : {
              "number_of_shards" : "1",
              "number_of_replicas" : "1"
            }
          },
          "mappings" : {
            "properties" : {
              "@timestamp" : { "type" : "date" },
              "message" : { "type" : "text" }
            }
          }
        },
        "composed_of" : [ ],
        "priority" : 200
      }
    }
  ]
}

Simulate template matching for a Logstash-style index name.

$ curl -sS -X POST "http://elasticsearch.example.net:9200/_index_template/_simulate_index/logstash-app-2026.01.07?pretty"
{
  "template" : {
    "settings" : {
      "index" : {
        "number_of_shards" : "1",
        "number_of_replicas" : "1",
        "routing" : {
          "allocation" : {
            "include" : {
              "_tier_preference" : "data_content"
            }
          }
        }
      }
    },
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "message" : {
          "type" : "text"
        }
      }
    },
    "aliases" : { }
  },
  "overlapping" : [ ]
}

Simulation confirms template selection and priority before relying on live ingestion.

List the matching indices created by Logstash.

$ curl -sS "http://elasticsearch.example.net:9200/_cat/indices/logstash-app-*?h=health,status,index,docs.count,store.size&v&allow_no_indices=true"
health status index                   docs.count store.size
green  open   logstash-app-2026.01.07          1     16.4kb

An empty result indicates no matching index exists yet for the pattern.

Check the index settings to confirm values were applied from the template.

$ curl -sS "http://elasticsearch.example.net:9200/logstash-app-2026.01.07/_settings?filter_path=*.settings.index.number_of_shards,*.settings.index.number_of_replicas&pretty"
{
  "logstash-app-2026.01.07" : {
    "settings" : {
      "index" : {
        "number_of_shards" : "1",
        "number_of_replicas" : "1"
      }
    }
  }
}

Replace the index name with a current index from the previous step when date-based indices are used.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.