Host metadata not parsing out correctly in ElasticSearch

fozboz · August 17, 2018, 2:45pm

I have Metricbeat 6.3.2 sending to Logstash 6.3.2 sending to ElasticSearch 6.3.0. I have enabled the beta add_host_metadata processor in Metricbeats.

In Kibana, the host field is showing like this.

{
  "os": {
    "family": "debian",
    "codename": "xenial",
    "version": "16.04.5 LTS (Xenial Xerus)",
    "platform": "ubuntu"
  },
  "architecture": "x86_64",
  "name": "myhost1",
  "id": "c2d8354c6253fb563beeebeb07b902b5",
  "containerized": false
}

where I would expect host.name, host.architecture, host.os.platform etc. fields to have been parsed to individual fields and be searchable.

I thought that it may have something to do with the default field mappings provided by Metricbeat which look like this.

        "host": {
          "properties": {
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "os": {
              "properties": {
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        },

so they do not explicitly define all of the fields. However, if I reindex the documents into a new index with the same index template, I get what I expect.

I am going to edit the index template now and define all of the fields, so tomorrow when the index rolls over it will pick up the new template and I will let you know the outcome. Any thoughts in the meantime?

fozboz · August 20, 2018, 1:30pm

Changing the index template did not make any difference

fozboz · August 20, 2018, 3:26pm

Moved to Kibana as it's clear to me now this is an issue I'm having with Kibana.

I just figured it out, it was an index pattern field mapping problem. Because I had old data which did not include the host metadata and just had the hostname as a string in the host field, Kibana was unable to resolve both mappings.

I recreated the index mappings to focus on more recent documents and the issue is fixed!

rashmi · August 20, 2018, 3:48pm

Glad that you posted your response back. It will be helpful for the community.

Cheers
Rashmi

system · September 17, 2018, 3:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Metricbeat fields defaults Beats metricbeat	6	749	October 12, 2017
Logstash does not index event to elastic due to issue on host field Logstash	6	560	January 8, 2021
Metricbeat to Logstash to ElasticSearch - Cannot See Any Hosts Defined, But Data Is Definitely Coming In Kibana	9	2114	July 12, 2021
Metricbeat 7.3.0 add_host_metadata Beats elastic-stack-monitoring , metricbeat	4	788	December 31, 2019
Logstash's - Beat to Elasticsearch Configuration - metadata Beats	4	747	March 26, 2018

Host metadata not parsing out correctly in ElasticSearch

Related topics