How does the dynamic typing work in filebeat

We are looking to send a plethora of different logs into a downstream logstash cluster.

How exactly does the type setting work within filebeat, so that I can appropriately tag incoming data in logstash in order to grok the info properly [for parsing]?

The template file shows "type": "{dynamic_type}", but I can't find an explanation of what that means.

Is there a best practice for being able to easily add a type on the logstash side (via the beats input) so that I can easily direct to filter to the right grok?

You can override the type field using Filebeat config by using document_type. By default the value is "log".

The template file is for the Elasticsearch index template. You can read more about the format here. Most users have no need to modify this.

I think what you are asking is how can you add additional data to the events so that you can setup conditional processing in Logstash. For this you have multiple options.

• fields
• fields_under_root
• tags - these can only be set at the global level now, but in v1.2 and v5 you can set tags as an option under prospector. See examples here
• document_type