Hello Tanguy .
Im not sure to completely understand your problem
There are differents ways to do what you want .
If you want to have different index names and , it's simple
output.elasticsearch: ... index: "%{[fields.type]}-putwhatyouwanthere"
Also is the the good way to do this ? I feel like letting everything under a filebeat-%{+yyyy.MM.dd} is a bad idea (I end up with 1300+ fields on the index), but I didn't find a "best practices" section about filebeat --> multiples indexes too..
Letting everything under filebeat-%{+yyyy.MM.dd} is clearly a bad idea if you have thousands of different fields
But if you do filebeat-%{[fields.type]}
you will have many different filebeat index as you have differents fields.type, and you will avoid the heavy monolithic trash index
However, how can I add custom filed like show above :
```
fields:
type: "system"
```
to a module ? (as I use module instead of processor) I couldn't find the answer on the web.
I don't know , you should test you can try to add
- module: thenameofthemodule
and then
- ... fields: type: "audit
And lets see if it works .