Filebeat fields.yml

Elastic Stack Beats
1

When specifying our fields.yml, I had several questions:

  1. How do we specify what should be the default time field for kibana?
  2. Is there any way to specify the moment.js format for the date field for kibana?
  3. What, if any, is the significance of the key in grouping fields?

Any help would be appreciated

2

  1. The default time field can be set on the UI. But Filebeat puts its timestamp under the field @timestamp. It is already added to the fields.yml of a Beat. See: https://github.com/elastic/beats/blob/master/libbeat/_meta/fields.ecs.yml#L9

  2. Let me ping one of my colleagues about this.

  3. I am not sure I understand your question. What grouping do you mean?

3
  1. Right now there is no way to do it. But we are working on it.
4

@kvch: thank you so much for responding! for 3, in the libbeat fields.yml example that you linked to, you'll see this at the top level of the fields.yml file:

- key: ecs
  title: ECS
  description: ECS Fields.
  fields:

What are key, title and description for? What impact do these values have on either (1) my filebeat configuration or (2) the setup of the elasticsearch index?

Finally, is there some way to specify that a dynamic mapping, like all fields not specified in the yaml be treated as unanalyzed?

For (1), yes, we figured, we just hate that we have to touch each logging index pattern for each application separately. Maybe there is a kibana API that lets us create the index patterns?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.