so I have 2 indexes created everyday on my elkstack
filebeat-%{[@metadata][version]}-2020.10.03
filebeat-7.9.2-2020.10.03
the filebeat-7.9.2-2020.10.03 is from the elk server itself and the other
is from filebeat from 2 remote syslog servers that collects all our logs with filebeat
It would be fine even tho the metadata and version are not getting filled out except the search doesn’t work, when I discover/search I only
get the elkstack ubuntu server and a bunch of error popups for 1 of 3 shards failed
I traced it down to the index not having this in the settings
"index.max_docvalue_fields_search": "200"
When I edit it manually and add it .. it works, I am trying to find a way to addit when the
new index is created everyday
I tried adding that to the /etc/filebeat/filebeat.yml so that it would add it on creation but no luck
setup.template.settings:
index.number_of_shards: 1
index.max_docvalue_fields_search: 200
Also the filebeat-7.9.2* index from the elkserver itself has a template with this info and the other is not so I cloned it and called filebeat- in the hopes that it would use that but it would not
Any ideas ?