So I've started playing around with the filebeat modules and I enjoy the idea of having a tight coupling between Viz, field mapping, ingest pipeline and source files. But I kind of am stuck on fully switching over to it. First, is there a way to load in index mappings for specific indices? I have several and it looks like filebeat can only upload 1. It would be nice if each module would upload it's own mapping for the index (one would have to avoid mapping collisions of course). The second is I got to the part where you create the fields.yml for a fileset, but then the documentation just stops about how to turn those fields into a mapping json file. It would appear that there is a make index-template but it has no guide on to how to use it shy od digging through the src code.
1 Like
-
Unfortunately, right now Filebeat uses one global index template for all of it's modules and fields. Our plan is to have separate ones, but I don't see it happening in the near future.
-
You need to run
make update. It generates configuration, documentation and index patterns, etc. Indeed it's missing from the Development guide. I will add it soon. Thanks for reporting it!
Also, there was a talk at last ElasticON about Filebeat modules. It's a quick intro to creating your own ones. If you are interested in modules, it's worth watching it: https://www.elastic.co/elasticon/conf/2018/sf/build-your-own-filebeat-module
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.