How does -E flag works

Sebastian_Treu · April 25, 2019, 7:07pm

Hi, I'm trying to overwrite the output of filebeat.

Motivation is based on my idea of avoid at all cost mounting specific files into docker container, so I though of:

~$ docker run --user root  -it -v "/var/lib/docker/containers:/var/lib/docker/containers:ro" -v "/var/run/docker.sock:/var/run/docker.sock:ro"  docker.elas
tic.co/beats/filebeat:7.0.0 -e -strict.perms=false --E output.console.pretty=true
Exiting: error unpacking config data: more than one namespace configured accessing 'output' (source:'filebeat.yml')

But it complains just like if it the overwrite was not done. This is what documentation says:

Flags:
-E, --E setting=value Configuration overwrite

What am I doing wrong?

steffens · April 26, 2019, 12:56pm

By using -E output.console.pretty=true you have 2 outputs configured. The default output is elasticsearch. Try:

... -E output.elasticsearch.enabled=false -E output.console.pretty=true

one can actually pass object to -E:

... -E 'output={elasticsearch.enabled: false, console.pretty: true}'

Sebastian_Treu · April 26, 2019, 5:23pm

@steffens thanks, that worked.

It's pretty anti intuitive that if filebeat won't manage 2 outputs, the command flag adds another option instead of overwriting it. Maybe that should be a feature request to change that behaviour.

system · May 24, 2019, 5:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.