Can I override the ingest pipeline for a filebeat module at runtime from modules.d/module.yml?
The Rest of the Story
I use the apache module with filebeat to capture logs on the Apache servers in our environment. On a few servers that a specific application runs on, I get a large number of entries in the access_log that can't be parsed by the standard filebeat-7.x.x-apache-access-pipeline ingest pipeline. The majority of log entries can be processed by this pipeline, but a relative handful can't, and generate errors.
The Solution
Since this appears to be application-specific, my solution was to copy the filebeat-7.x.x-apache-access-pipeline to filebeat-my-application-apache-access-pipeline and add an additional grok pattern to process these log entries. This has been successfully tested using _simulate.
The Question
Now my question is: Can I override the default ingest pipeline from the modules.d/apache.yml file on the impacted hosts, to force them to use the modified pipeline? It seems to me that it should be possible, but that certainly doesn't mean it is.
The pipelines are stored in a different directory but yes u could do it from Filebeat or just modify it in Elasticsearch from Kibana after loading it. I would just do it in Kibana as it's easier.
I've already created a new pipeline in Elasticsearch with the modifications I need. What I'm trying to do now is tell Elasticsearch to use that pipeline for just these hosts without going in and modifying the actual module itself on the hosts. I.e., how do I modify the value of [@metadata][pipeline] to use filebeat-my-application-apache-access-pipeline for just this instance in a persistent, repeatable manner so that I don't have to update the filebeat-x.x.x-apache-access-pipeline every time we upgrade the filebeat version we're using.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.