I use filebeat with Graylog and noticed that in there source is always set to admin even if I override it with
fields:
source: srcm
I also tried to set it in the top-level prospector configuration as
-
#some config
source: srcm
#other config
How to customize it?
Specifying
fields_under_root: true
does not work as well.
Can you please share your full config file and the filebeat version you are using?
No problem.
filebeat version 1.2.3 (amd64)
filebeat-test.yml:
filebeat:
prospectors:
-
paths:
- /path/to/log/file
input_type: log
fields_under_root: true
source: srcm
multiline:
pattern: '_pattern_'
negate: true⋅
match: after
fields:
source: srcm
#other project-specific properties
registry_file: /var/lib/filebeat/registry
output:
logstash:
hosts: ["0.0.0.0:5044"]
logging:
files:
rotateeverybytes: 10485760
I have tried some variations with setting the source field like with or without fields_under_root set to true, setting it as a top-level prospector field and so forth, but it doesn't work. How to override it? Maybe that's a graylog issue?
I think the problem is with the name source. This field is already used for the filename source. But if you use it under fields without fields_under_root it should work.
Can you run filebeat with -e -d "publish" and check if the fields.source shows up? If yes, it is probably graylog specifc.
This topic was automatically closed after 21 days. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.