Hello,
Is it possible to make the index filed for Apache or IIS or Nginx for the .access.user_agent.original string show up as searchable and aggregatable?
I'd like to have this show up as sometimes all of the user agent fields show "other" which doesn't help me much.
Do you mind opening a new enhancement request on Github? https://github.com/elastic/beats/issues/new?template=feature-request.md
In the interim, if they do decide to add the feature, you could always create a new filebeat template (setting the order number higher than the built-in templates which I believe for the latest version of filebeat are set to 1. Using this template should do the trick (change the index pattern if you need to):
PUT _template/filebeat-custom
{
"order" : 2,
"index_patterns" : [
"filebeat-6.5.1-*"
],
"mappings" : {
"doc" : {
"properties" : {
"apache2" : {
"properties" : {
"access" : {
"properties" : {
"user_agent" : {
"properties" : {
"original" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
}
}
},
"iis" : {
"properties" : {
"access" : {
"properties" : {
"user_agent" : {
"properties" : {
"original" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
}
}
},
"nginx" : {
"properties" : {
"access" : {
"properties" : {
"user_agent" : {
"properties" : {
"original" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
}
}
}
}
}
},
"aliases" : { }
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.