Document Type in version 6.1.0

Frank_Matera · January 3, 2018, 2:10pm

I have been testing ELK for a few months and was previously on 5.6. Filebeat -> Logstash -> Elasticsearch. In 5.6 Filebeat I would assign a document_type to a log. I was working with 2 types of logs:

filebeat.prospectors:

input_type: log
paths:
- /splunkcdrs/elastics/elastics/sbc/*.spl
  document_type: sbc
input_type: log
paths:
- /splunkcdrs/elastics/elastics/coins/*.spl
  document_type: coins

In logstash, I would apply mapping(filter) based off of document type:
if [document_type] == "sbc" apply one mapping

if [document_type] == "coins" apply a different mapping

This worked great. I see in 6.1.0 they have eliminated document_type.

No matter what I try, I can no longer get the mappings applied.

I tried changing document_type to type in Filebeat. And the same in the Logstash configs with no luck.

I see in Kibana there is a prospector.type. I tried to update the Logstash configs with prospector.type but did not work as well.

Any assistance on how I should proceed would be greatly appreciated.

magnusbaeck · January 6, 2018, 10:21am

Use

fields:
  document_type: sbc
fields_under_root: true

in the Filebeat configuration to get a document_type field in each event.

system · February 3, 2018, 10:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Recommended way of telling Logstash type of logs Beats filebeat	2	806	February 8, 2018
Field "document_type" sent via filebeat as "type" field to ES is ananlyzed Kibana	5	984	October 10, 2017
Confusions around ELK6 types Elasticsearch	5	2312	April 13, 2018
Filebeats - Multiple and different file types Beats	4	27011	July 5, 2017
Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6} Logstash	3	16250	July 10, 2019

Document Type in version 6.1.0

Related Topics