Does filebeat.yml setup.template.append_fields support multi-fields for elasticsearch index template?

Elastic Stack Beats
1

I'm configuring the filebeat filebeat.yml to load elasticsearch index templates.

I have a few fields that I'd like to index as both type keyword and type text so I can use them for sorting and aggregation as well as for case-insensitive full-text search. This is supported using multi-fields but I can't figure out if filebeat supports creating templates for multi-fields.

For example, I'd like the field copr.service to have both keyword and text types.

setup.template.name: "filebeat-6.6.1-application"
setup.template.fields: "fields.yml"
setup.template.overwrite: true
setup.template.settings:
  index.number_of_shards: 8
  index.number_of_replicas: 2
  index.number_of_routing_shards: 16
  index.codec: best_compression
  _source.enabled: true
setup.template.append_fields:
- name: corp.environment
  type: keyword
- name: corp.service
  type: text
- name: corp.role
  type: keyword
- name: corp.log.ingestedTimestamp
  type: date

Thanks!

Peter

1 Like
2

The keyword multi_fieldsis supported by the fields.yml format and append_fieldsoption.
You can define the field the following way as in the example in the documentation:

setup.template.append_fields:
- name: corp.service
  type: text
  multiple_fields:
    - type: keyword
      name: raw
1 Like
3

Thanks very much.

It took a bit to test because there is a typo in the code portion of your response. It should be multi_fields: not multiple_fields: in the filebeat.yml, as you put in the text portion of your response.

This configuration is working for me:

setup.template.append_fields:
- name: corp.service
  type: text
  multi_fields:
    - type: keyword
      name: raw

You hooked me up, I really appreciate it!!

p

1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.