Provide a way for end users to define new string mappings in 5.0+

[ppf2]

With the introduction of text vs. keyword fields in 5.x, it can be a nice feature to provide a way for the end user to define if a field should be mapped as text vs. keyword, instead of both (which is by default per the template). This gives the user more control over how each field is handled (and can help reduce the number of fields in general) without having to directly modify the index template.

[untergeek]

I don't think this is something we can do on the fly, in grok, or any other plugin.

An index template is defined once, and applied every time a new index is created. How would we define a template that is supposed to exist before data is sent on to Elasticsearch, as the first element is leaving Logstash?

The bigger problem is what happens if a user is trying to send multiple document types to the same index, and the mappings end up colliding?

I'm just not sure this is feasible. A UI element that allows a user to configure grok, and have that UI element also create a mapping/index template at the same time might be a better approach. At least then the grok pattern could be tested, and the resulting fields mapped in a UI.