the article refers in filebeat go for new filebeat module development.
Which article?
You need to adapt the template mapping. This is normally done by adjusting fields.yml, but is also possible via json. There is a number of settings for template setup documented here. The setup.template.append_fields setting might fit your needs.
thanks steffens, since i am using the filebeat 6.3.2 version so i had to use the fields.yml for field configuration and i am able to get it after the current index deletion and restarted the filebeat configuration.
i have a question
When i update the fields.yml does it take effect only on new index creation or any steps to be performed ?
if i have 500 servers and i need the custom fields.yml in single server (custom logs) in that server i had to enable the option of template overwrite?
When i update the fields.yml does it take effect only on new index creation or any steps to be performed ?
The fields.yml is used to install a template mapping. This is a one time setup step. Afterwards Elasticsearch will use the template mapping to create an index.
You can use setup or enable template overwriting to force the template to be replaced. This will only affect new indices though.
if i have 500 servers and i need the custom fields.yml in single server (custom logs) in that server i had to enable the option of template overwrite?
Yes, overwrite might help here. But once you add another server needing to add another field you might have a problem. Then you should consider to have an extra centralized configuration with a centralized fields.yml and run run filebeat setup if required.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.