Filebeat 6.0.0 prospectors and fields

panic · December 7, 2017, 3:59am

Hi,
I'm currently using filebeat 5.6.5 to extract data from specific log types with using the following configuration:

filebeat.prospectors:

- type: log
  paths:
    - /logfiles/x.log
  fields:
     document_type: x
  multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after

- type: log
  paths:
    - /logfiles/y.log
  fields:
     document_type: y

- type: log
  paths:
    - /logfiles/z.log
  fields:
     document_type: z

The output in 5.6.5 looks something like this:

{"@timestamp":"2017-12-07T03:37:45.936Z","beat":{"hostname":"aaa","name":"aaa","version":"5.6.5"},"fields":{"document_type":"x"},"source":"/logfiles/x.log"}
{"@timestamp":"2017-12-07T03:37:45.936Z","beat":{"hostname":"aaa","name":"aaa","version":"5.6.5"},"fields":{"document_type":"y"},"source":"/logfiles/y.log"}
{"@timestamp":"2017-12-07T03:37:45.936Z","beat":{"hostname":"aaa","name":"aaa","version":"5.6.5"},"fields":{"document_type":"z"},"source":"/logfiles/z.log"}

Using the same configuration in 6.0.0 I end up with all of the document_type fields being set as "z" for all unique sources. (also the output is a lot messier... the fields aren't necessarily in the same order)

{"@timestamp":"2017-12-07T01:19:48.018Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.0.0"},"source":"/logfiles/x.log","prospector":{"type":"log"},"fields":{"document_type":"z"},"beat":{"name":"aaa","hostname":"aaa","version":"6.0.0"}}
{"@timestamp":"2017-12-07T01:19:48.018Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.0.0"},"source":"/logfiles/y.log,"prospector":{"type":"log"},"fields":{"document_type":"z"},"beat":{"name":"aaa","hostname":"aaa","version":"6.0.0"}}
{"@timestamp":"2017-12-07T01:19:48.018Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.0.0"},"prospector":{"type":"log"},"fields":{"document_type":"z"},"beat":{"version":"6.0.0","name":"aaa","hostname":"aaa"},"source":"/logfiles/z.log}

It just seems to set the last value... I believe this is a bug?
Has something changed in the way fields are handled?
I looked up the reference, but from what I can tell, it should work.

ruflin · December 7, 2017, 5:09am

You are hitting this issue here: https://github.com/elastic/beats/pull/5808

panic · December 7, 2017, 5:35am

Ah, thanks ruflin!

system · January 4, 2018, 5:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help with setting up "Multiple prospectors" in filebeat Beats filebeat	12	3691	June 30, 2016
"Filebeat.prospectors has been removed" Beats filebeat	2	11435	November 26, 2019
Multiple prospectors in filebeat Beats filebeat	2	1057	October 12, 2018
Filebeat.yml can not convert String into Object Beats filebeat	4	5577	February 6, 2019
Harvesting same file with different prospector config Beats filebeat	8	2312	July 14, 2017

Filebeat 6.0.0 prospectors and fields

Related topics