John Frizelle Ok, last update for now.

I wasn't able to make copy_to working. I asked a question in StackOverflow: https://stackoverflow.com/questions/52836184/elasticsearch-copy-to-with-dynamic-template

I was chatting with Keyang Xiang and Wojciech Trocki about this problem and we decided to solve this problem another way.
We'll wrap the audit log json in a field called "audit" and that ends up having the top level fields like "audit.operationType", "audit.path" etc.
This would stop polluting the top level.

I will monitor the StackOverflow question and if there's a proper answer we can talk again which approach is better.

Resolving this issue now.