Currently we have configured data streams in our environment and its working as expected with Logstash.
For Filebeat do we just use the datastream name as the index value? Or do we create an alias to the datastream and write to that index?
I believe the default Logstash action is to index, not create, not sure if that will cause an issue with Filebeat as well?
To get this to work I had to do the following, add a processor in filebeat.yml:
- script:
lang: javascript
source: >
function process(event) {
event.Put("@metadata.op_type", "create");
}
Also in my filebeat.yml the following parameters needed to be set:
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.name: "weaponx"
setup.template.pattern: "logs-weaponx-*"
output.elasticsearch.index: "logs-weaponx-filebeat"
Note all my index and index templates already existed inside ES.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.