@lenn4rd I would recommend to load the templates each time. If you connect to ES directly it will happen automatically. The reason is assuming there is a bug in a field name for 6.3.1 we can fix it in 6.3.2. Setup does more then just the template, also dashboards. There having each bugfix release is nice to have but it's not a must.
@Diggy Filebeat templates look good. You need to make sure you also index into the according index patterns containing the Filebeat version number.
How do I do that? As you've seen, I already have a pattern filebeat-*. If I try to create one named e.g. filebeat-6.3.1-*, it doesn't work. "curl 10.0.101.101:9200/_cat/indices?v|sort -n" produces this:
~
yellow open filebeat-2018.07.23 mfM-dBQ9RyyxAQ7ZiShH3Q 5 1 37002 0 14.1mb 14.1mb
yellow open filebeat-2018.07.24 1GVQtjKfSP2zBHhWx68Zwg 5 1 104780 0 37.8mb 37.8mb
yellow open filebeat-2018.07.25 TxoZtDKUQzmZuZcgeGGMeg 5 1 33309 0 9.4mb 9.4mb
yellow open filebeat-2018.07.26 TJ-S3DExQhaCP0o6r1YnJA 5 1 66880 0 22.6mb 22.6mb
~
(The yellow condition is presumable from having only one elasticsearch instance. That's what I think, anyway.)
Again, apologies for dragging this out, and for asking questions, the answers to which I should probably know.
That makes sense, thanks for the heads up. Filebeat sends its data to Logstash but I'll set up my update routine so that templates and dashboards are updated once I deploy new agent versions.
And, I do that how?
If you use the Elasticsearch output as recommended in our Beats getting started it will do it automatically for you: https://www.elastic.co/guide/en/elastic-stack-overview/6.3/get-started-elastic-stack.html#logstash-setup
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.