From 8caa64fb61b4f8f387ea95549a8b530c8135e74f Mon Sep 17 00:00:00 2001
From: Mike Birnstiehl <114418652+mdbirnstiehl@users.noreply.github.com>
Date: Tue, 20 Feb 2024 16:31:35 -0600
Subject: [PATCH] Create a logs@custom index template reference (#3593)

(cherry picked from commit ecf1c57c96007383575b89b451e6824999254300)
---
 docs/en/observability/index.asciidoc          |  2 +
 docs/en/observability/logs-checklist.asciidoc | 12 +++-
 .../logs-index-template.asciidoc              | 63 +++++++++++++++++++
 3 files changed, 75 insertions(+), 2 deletions(-)
 create mode 100644 docs/en/observability/logs-index-template.asciidoc

diff --git a/docs/en/observability/index.asciidoc b/docs/en/observability/index.asciidoc
index 920ddc85eb..859e000709 100644
--- a/docs/en/observability/index.asciidoc
+++ b/docs/en/observability/index.asciidoc
@@ -57,6 +57,8 @@ include::inspect-log-anomalies.asciidoc[leveloffset=+3]
 
 include::configure-logs-sources.asciidoc[leveloffset=+3]
 
+include::logs-index-template.asciidoc[leveloffset=+2]
+
 include::logs-troubleshooting.asciidoc[leveloffset=+2]
 
 // Infrastructure
diff --git a/docs/en/observability/logs-checklist.asciidoc b/docs/en/observability/logs-checklist.asciidoc
index 830a71a3d0..d16b7cf462 100644
--- a/docs/en/observability/logs-checklist.asciidoc
+++ b/docs/en/observability/logs-checklist.asciidoc
@@ -104,11 +104,19 @@ The following resources provide information on viewing and monitoring your logs:
 == Application logs
 
 Application logs provide valuable insight into events that have occurred within your services and applications.
-See <<application-logs>>.
+Refer to <<application-logs>>.
 
 [discrete]
 [[logs-alerts-checklist]]
 == Create a logs threshold alert
 
 You can create a rule to send an alert when the log aggregation exceeds a threshold.
-See <<logs-threshold-alert>>.
\ No newline at end of file
+
+Refer to <<logs-threshold-alert>>.
+
+[discrete]
+[[logs-template-checklist]]
+
+Configure the default `logs` template using the `logs@custom` component template.
+
+Refer to the <<logs-index-template>>.
\ No newline at end of file
diff --git a/docs/en/observability/logs-index-template.asciidoc b/docs/en/observability/logs-index-template.asciidoc
new file mode 100644
index 0000000000..02bcabc941
--- /dev/null
+++ b/docs/en/observability/logs-index-template.asciidoc
@@ -0,0 +1,63 @@
+[[logs-index-template]]
+= Logs index template reference
+
+Index templates are used to configure the backing indices of data streams as they're created.
+These index templates are composed of multiple {ref}/indices-component-template.html[component templates]—reusable building blocks
+that configure index mappings, settings, and aliases.
+
+You can view the default `logs` index template in {kib}.
+Navigate to **{stack-manage-app}** → **Index Management** → **Index Templates**, and search for `logs`.
+Select the `logs` index templates to view relevant component templates.
+
+[discrete]
+[[custom-logs-template-edit]]
+== Edit the `logs` index template
+
+The default `logs` index template for the `logs-*-*` index pattern is composed of the following component templates:
+
+* `logs@mappings`
+* `logs@settings`
+* `logs@custom`
+* `ecs@mappings`
+
+You can use the `logs@custom` component template to customize your {es} indices. The `logs@custom` component template is not installed by default, but you can create a component template named `logs@custom` to override and extend default mappings or settings. To do this:
+
+. Open {kib} and navigate to **{stack-manage-app}** → **Index Management** → **Component Templates**.
+. Click *Create component template*.
+. Name the component template logs@custom.
+. Add any custom metadata, index settings, or mappings.
+
+Changes to component templates are not applied retroactively to existing indices. For changes to take effect, create a new write index for impacted data streams by triggering a rollover. Do this using the {es} {ref}/indices-rollover-index.html[Rollover API]. For example, to roll over the `logs-generic-default` data stream, run:
+
+[source,console]
+----
+POST /logs-generic-default/_rollover/
+----
+
+[discrete]
+[[custom-logs-template-default-field]]
+=== Set the `default_field` using the custom template
+
+The `logs` index template uses `default_field: [*]` meaning queries without specified fields will search across all fields.
+You can update the `default_field` to  search in the `message` field instead of all fields using the `logs@custom` component template.
+
+If you haven't already created the `logs@custom`component template, create it as outlined in the previous section. Then, follow these steps to update the *Index settings* of the component template:
+
+. Open {kib} and navigate to **{stack-manage-app}** → **Index Management** → **Component Templates**.
+. Search for `logs` and find the `logs@custom` component template.
+. Open the **Actions** menu and select **Edit**.
+. Select **Index settings** and add the following code:
++
+[source,json]
+----
+{
+  "index": {
+    "query": {
+      "default_field": [
+        "message"
+      ]
+    }
+  }
+}
+----
+. Click **Next** through to the **Review** page and save the component template.
\ No newline at end of file