I tried a default dev setup of the ELK stack with Filebeat reading from some Docker container outputting Elastic Common Schema JSON. It looks like the default index mapping that Filebeat sets up causes Kibana to show many date fields in the fields pane and when expanding documents. Those values are not sent by the container and have no value in any document, it looks like those are only the fields that are of the date type, fields like azure.enqueued_time
, cef.extensions.startTime
.
Is there any way to prevent Kibana from showing this, it makes it very difficult to use having many such fields showing, and having to define a custom index mapping due to this rather then use the default one doesn't feel right.
Screenshot:
The Filebeat input:
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
hints.default_config.enabled: false
With this container labels:
co.elastic.logs/enabled: 'true'
co.elastic.logs/json.keys_under_root: 'true'
co.elastic.logs/json.add_error_key: 'true'
co.elastic.logs/json.message_key: message