Configuring analyser for field inside filbeat configuration file

bbtl · April 15, 2021, 12:31pm

Hi

I am currently using filbeat to send logs to ELK stack. However, one of the fields has a syslog structure and I would like to force filbeat to use a whitespace analyser and I would also like to have the .raw version of the field for regex search.

I have searched the documents and the closest I can see to this is: setup.template.settings on: Configure Elasticsearch index template loading | Filebeat Reference [7.12] | Elastic

However, I don't really know how to use this field to configure the mappings as I see on: Update index settings API | Elasticsearch Guide [7.12] | Elastic.

Would someone be so kind to help me with this. I cannot seem to find any online examples for this.

Thanks ind advance

jsoriano · May 10, 2021, 4:44pm

Hey @bbtl, welcome to discuss

Are you using any of the Filebeat modules, or you are using the syslog input directly?

Would be an option for this to use processors? They would allow to move your original field to some field like .raw, and then use processors such as dissect or script to extract the information you need.

system · June 7, 2021, 6:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.