Filebeat custom log files / how to disable default module field mappings

I'm using filebeat to read log files that are not supported out of the box, for elasticsearch indexing.

The thing is that I get 1000+ field mappings that appear to be coming from default filebeat modules (apache, nginx, system, docker, etc.), and they only get in the way.

I've tried to reference a custom fields.yml file in filebeat.yml config, but it doesn't seem to make a difference. I'm still getting all those mappings. All the filebeat modules are disabled by default, so their state is also irrelevant.
Any hint is much appreciated.

There are various settings that will let you use a custom index template, overwrite an existing template, or turn off template management so you can set them up manually -- see the docs here for details

Thanks. My specific problem was with setup.template.fields: "path/to/fields.yml" that seemed to make no difference at all.
I've added custom file, and I still got all fields from the default fields.yml in my index.

But I already figured out to turn it off completely, and I choose to do that instead.

If you don't mind sharing, what was the solution to turn it off completely? I was having a similar problem a few days ago.

Thanks!

setup.template.enabled: false (it's also in the doc...)

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.