I've installed filebeat on my es boxes to ship es slowlogs to a separate elasticsearch cluster.
I installed it from deb package (v7.6.0 to match my es version), activated the elasticsearch plugin, ran the setup and started the service.
It seems to work in that that the service is running and events are appearing in the elasticsearch cluster I have shipped it to. However, it's missing fields, such as: took_millis.
elasticsearch.slowlog.took is on there (as a term, eg: 780s, so I can't make pretty graphs from it), and the event.duration field - don't know what's stored in that field because it seems to bear no relation to the actual duration of the query - but took_millis was not parsed out and indexed. What do I need to do to get that working?
Any help much appreciated.