Before 3 days, all beats are sending data properly on my elastic instance.
I was noticed new version is available. So, I upgraded all beats including elastic and kiban from 6.2.3 to 6.2.4. (i am using all beats accept winlog.)
After up-gradation, everything working as it is, accept filebeat and packetbeat not sending _source data to elastic search. On kibana's discover tab, only date is showing and next _source is empty. But i can see some hits are coming by upper side graph's visualization.
I checked everything(from last 2days), but don't know what i missed...
@shivang_patel I've taken a look a the changelog between 6.2.3 and 6.2.4 and I don't see any changes related to the mapping, the _source field is managed on the Elasticsearch side, I've tested with FB 6.2.4 with the default template mapping and the _source is included.
I know we added the ability to disable _source in the generated index templates. But the configuration to disable source is commented out in the config files we distribute with the Beats. If you're letting the Beat generate the index template, then did you uncomment this option?
@shivang_patel I think the easiest way to get running is to delete the template mapping and let Filebeat create it again, make sure _source.enabled: false is commented before starting it.
The way template works are to dynamically assign a specific mapping to a matching index_pattern, in your case "filebeat-6.2.4-*". So when Filebeat creates a new indice that match the pattern the mapping will be automatically applied. If you look at the mapping for the created index after your change, the _source.enabled should be set to true.
Previously created indices mapping won't change, the only way to change it is to reindex your data.
But in your case you want to have access to the _source, this field contains the original JSON data, when _source.enabled is set to false we don't persist it, It is gone. The only way to have it is to reindex your data from the original file.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.