Cannot append_fields on custom template

Hello!

I am using filebeat 7.17.6 and I am using the nginx module.

I have altered the access log pipeline to include additional fields.
Everything is grokked fine.

My issue is that when i define the additional fields they are added to the filebeat-* template and not to my custom nginx-logs* template.

my config :

name: ${BEAT_NAME:default}
filebeat.modules:
  #--------------------------------- Nginx Module ---------------------------------
  - module: nginx
    # Access logs
    access:
      enabled: true
      var.paths: ["/nginx/*access.log"]
    error:
      enabled: true
      var.paths: ["/nginx/error.log"]


setup.template.settings:
  index.number_of_shards: 1


output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["172.17.0.1:9243"]
  index: "nginx-logs-%{+yyyy.MM.dd}"
  username: "beat_user"
  password: "beat_pass"
  protocol: https
  ssl.verification_mode: none
  headers:
    X-Found-Cluster: ${FILEBEAT_OUTPUT_ES_CLUSTER_ID}

setup:
  ilm:
    enabled: true
    overwrite: true
    rollover_alias: "nginx-logs"
    pattern: "{now/d}-000001"
    policy_file: /usr/share/filebeat/ilm.policy.nginx.json
  template:
    name: "nginx-logs"
    overwrite: true
    pattern: "nginx-logs*"
    append_fields:
        - name: nginx.access.request_time
          type: float
        - name: nginx.access.upstream_header_time
          type: float
        - name: nginx.access.upstream_connect_time
          type: float
        - name: nginx.access.upstream_response_time
          type: float

xpack.monitoring.enabled: true

I had another filebeat instance running which created the indices anew after deleting them.
The above solution works.

Closing.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.