I am using filebeat and i would like to know that to create a mapping do i need to know the field name or should i start the filebeat and analyse that these the fields are coming i can see in kibana discover and after that i start with mapping
Hi @Aniket_Pant 
If you know your input data, it's always better to define your own mapping for 2 main reasons:
- You can leave out fields that you aren't going to query later hence saving disk space.
- You can define multi-field mapping in fields where you feel like you may need it. This is very common in fields where you need a text and a keyword mapping, a date field or when you define a geo point which isn't captured by the automatic mapping.
Thank you so much for your reply but my strategy to this mapping is that i have to install beat in my system then in kibana i analysed which fields are coming then i create mapping but this is not a good way. Sometime i install packetbeat and think that whatever the beat i installed they have common field agen.type ,agent.name,host.ip etc, i can create mapping for those field but what about other fields
Beats comes with their own mappings that are usually "installed" into Elasticsearch with the setup commands like metricbeat setup. If it's just to use Beats, you should not be worried about mappings at all.
Just to clarify, you should not be mixing your own data with the Beats data in the same index. Create an index for your business data (which is where you should care most about the mappings)
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.