I am using filebeat with ES as output.
I have specified:
input_type: log
document_type: apache
paths:
- /var/log/httpd/*_log
in /etc/filebeat/filebeat.yml and am able to successfully see results in Kibana. I am however playing around with "Watcher" and trying to create a watch based on an http return code of 404, I see no field in my Kibana filebeat results that corresponds to and only to "404", something like "response", I am afraid I am missing something because filebeat and ELK are BIG products, and help would be appreciated.