I have been testing ELK for a few months and was previously on 5.6. Filebeat -> Logstash -> Elasticsearch. In 5.6 Filebeat I would assign a document_type to a log. I was working with 2 types of logs:
filebeat.prospectors:
- input_type: log
paths:- /splunkcdrs/elastics/elastics/sbc/*.spl
document_type: sbc
- /splunkcdrs/elastics/elastics/sbc/*.spl
- input_type: log
paths:- /splunkcdrs/elastics/elastics/coins/*.spl
document_type: coins
- /splunkcdrs/elastics/elastics/coins/*.spl
In logstash, I would apply mapping(filter) based off of document type:
if [document_type] == "sbc" apply one mapping
if [document_type] == "coins" apply a different mapping
This worked great. I see in 6.1.0 they have eliminated document_type.
No matter what I try, I can no longer get the mappings applied.
I tried changing document_type to type in Filebeat. And the same in the Logstash configs with no luck.
I see in Kibana there is a prospector.type. I tried to update the Logstash configs with prospector.type but did not work as well.
Any assistance on how I should proceed would be greatly appreciated.