Filebeat 6.0.0 prospectors and fields

panic · December 7, 2017, 3:59am

Hi,
I'm currently using filebeat 5.6.5 to extract data from specific log types with using the following configuration:

filebeat.prospectors:

- type: log
  paths:
    - /logfiles/x.log
  fields:
     document_type: x
  multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after

- type: log
  paths:
    - /logfiles/y.log
  fields:
     document_type: y

- type: log
  paths:
    - /logfiles/z.log
  fields:
     document_type: z

The output in 5.6.5 looks something like this:

{"@timestamp":"2017-12-07T03:37:45.936Z","beat":{"hostname":"aaa","name":"aaa","version":"5.6.5"},"fields":{"document_type":"x"},"source":"/logfiles/x.log"}
{"@timestamp":"2017-12-07T03:37:45.936Z","beat":{"hostname":"aaa","name":"aaa","version":"5.6.5"},"fields":{"document_type":"y"},"source":"/logfiles/y.log"}
{"@timestamp":"2017-12-07T03:37:45.936Z","beat":{"hostname":"aaa","name":"aaa","version":"5.6.5"},"fields":{"document_type":"z"},"source":"/logfiles/z.log"}

Using the same configuration in 6.0.0 I end up with all of the document_type fields being set as "z" for all unique sources. (also the output is a lot messier... the fields aren't necessarily in the same order)

{"@timestamp":"2017-12-07T01:19:48.018Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.0.0"},"source":"/logfiles/x.log","prospector":{"type":"log"},"fields":{"document_type":"z"},"beat":{"name":"aaa","hostname":"aaa","version":"6.0.0"}}
{"@timestamp":"2017-12-07T01:19:48.018Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.0.0"},"source":"/logfiles/y.log,"prospector":{"type":"log"},"fields":{"document_type":"z"},"beat":{"name":"aaa","hostname":"aaa","version":"6.0.0"}}
{"@timestamp":"2017-12-07T01:19:48.018Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.0.0"},"prospector":{"type":"log"},"fields":{"document_type":"z"},"beat":{"version":"6.0.0","name":"aaa","hostname":"aaa"},"source":"/logfiles/z.log}

It just seems to set the last value... I believe this is a bug?
Has something changed in the way fields are handled?
I looked up the reference, but from what I can tell, it should work.

ruflin · December 7, 2017, 5:09am

You are hitting this issue here: https://github.com/elastic/beats/pull/5808

panic · December 7, 2017, 5:35am

Ah, thanks ruflin!

system · January 4, 2018, 5:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help with setting up "Multiple prospectors" in filebeat Beats filebeat	12	3690	June 30, 2016
"Filebeat.prospectors has been removed" Beats filebeat	2	11408	November 26, 2019
Filebeat.yml can not convert String into Object Beats filebeat	4	5567	February 6, 2019
FileBeat not able to read new files Beats filebeat	5	1936	July 18, 2017
Extract information from Prospectors Path Beats filebeat	2	444	May 31, 2017

Filebeat 6.0.0 prospectors and fields

Related Topics