Filebeat's default index mapping causes Kibana to display many empty date fields

I tried a default dev setup of the ELK stack with Filebeat reading from some Docker container outputting Elastic Common Schema JSON. It looks like the default index mapping that Filebeat sets up causes Kibana to show many date fields in the fields pane and when expanding documents. Those values are not sent by the container and have no value in any document, it looks like those are only the fields that are of the date type, fields like azure.enqueued_time, cef.extensions.startTime.

Is there any way to prevent Kibana from showing this, it makes it very difficult to use having many such fields showing, and having to define a custom index mapping due to this rather then use the default one doesn't feel right.

Screenshot:

The Filebeat input:

filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true
      hints.default_config.enabled: false

With this container labels:

  co.elastic.logs/enabled: 'true'
  co.elastic.logs/json.keys_under_root: 'true'
  co.elastic.logs/json.add_error_key: 'true'
  co.elastic.logs/json.message_key: message
1 Like

Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.