I have changed the mapping of a field in fields.yml and saved it as fields-patched.yml in C:\Program Files\Winlogbeat\.
In winlogbeat.yml, I have set this:
setup.template.fields: "${path.config}/fields-patched.yml"
I then stop Winlogbeat service, delete the current datastream from Elasticsearch, and start Winlogbeat again.
But my field definition is not used.
What am I doing wrong?
You would also need need to delete the winlogbeat template (e.g. DELETE _index_template/winlogbeat-8.16.0) otherwise I don't think it will overwrite the existing template.
1 Like
Thank you so much!
This would have taken me a long time to find out by myself 