Create Index Template in FileBeat and No Effect on datatype of Date


#1

I create a custom template.json in filebeat folder, and configured it to template.path in filebeat.yml.
The template contains a field of local_timestamp which is a date field in my logs.
like this:
"local_timestamp": {
"type": "date",
"format": "yyyy-MM-dd HH:mm:ss||dd-MMM-yyyy HH:mm:ss.SSS"
}
And I set up the ingest node on my elasticsearch server, and add a grok processor to extract the date from my log message to a name of local_timestamp.

But I could only see the field of local_timestamp is type of text in kibana and elasticsearch's mapping API response.

What should I do to set the field datatype to date, Did I must to set the mapping through API rather filebeat's template?


(Steffen Siering) #2

check the template and the actual mapping applied to the index. A template is only applied when a new index is generated. If the index did already exist before you updated the template, the changes to the template will not be visible in the already existing indices. Plus, by default filebeat does not overwrite an existing template in Elasticsearch.


#3

Thanks for your reply, indeed it is caused by not overwritten.
One more question comes, Why there exist a type of 'doc' in my index while I only defined the type names 'logs'?


(Steffen Siering) #4

Elasticsearch is going to remove support for types. For dealing with this in the future with least impact on beats, the most recent beats always set the type to docs.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.