Document Type in version 6.1.0

Frank_Matera · January 3, 2018, 2:10pm

I have been testing ELK for a few months and was previously on 5.6. Filebeat -> Logstash -> Elasticsearch. In 5.6 Filebeat I would assign a document_type to a log. I was working with 2 types of logs:

filebeat.prospectors:

input_type: log
paths:
- /splunkcdrs/elastics/elastics/sbc/*.spl
  document_type: sbc
input_type: log
paths:
- /splunkcdrs/elastics/elastics/coins/*.spl
  document_type: coins

In logstash, I would apply mapping(filter) based off of document type:
if [document_type] == "sbc" apply one mapping

if [document_type] == "coins" apply a different mapping

This worked great. I see in 6.1.0 they have eliminated document_type.

No matter what I try, I can no longer get the mappings applied.

I tried changing document_type to type in Filebeat. And the same in the Logstash configs with no luck.

I see in Kibana there is a prospector.type. I tried to update the Logstash configs with prospector.type but did not work as well.

Any assistance on how I should proceed would be greatly appreciated.

magnusbaeck · January 6, 2018, 10:21am

Use

fields:
  document_type: sbc
fields_under_root: true

in the Filebeat configuration to get a document_type field in each event.

system · February 3, 2018, 10:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Configuration when removing specified type mapping Logstash	5	969	December 8, 2018
Recommended way of telling Logstash type of logs Beats filebeat	2	806	February 8, 2018
Now that support for type has been removed in filebeat 6, how to add filters in logstash config? Logstash	2	1659	December 28, 2017
Field "document_type" sent via filebeat as "type" field to ES is ananlyzed Kibana	5	984	October 10, 2017
Is document_type in filebeat same as type in logstash filter? Beats filebeat	3	2438	February 6, 2018

Document Type in version 6.1.0

Related topics