How to add other _types to the /etc/fields.yml in beats

blacktop · December 29, 2016, 11:42pm

I have a beat that will have MANY different _types.

beats/libbeat/scripts/generate_template.py doesn't seem to support that?

Any help greatly appreciated.

It looks like you can add more _types with filebeat modles ect, that looks like what I want to do.

Thanks!

andrewkroh · December 29, 2016, 11:46pm

Packetbeat uses a different type for each protocol. Have a look at its fields.yml.

blacktop · December 29, 2016, 11:48pm

So I tried using multiple keys, but after running make update I believe that beats/libbeat/scripts/generate_template.py did not parse it correctly. I will try again.

blacktop · December 30, 2016, 12:02am

I tried again and again it didn't seem to parse out he addtional _types with the key field

https://github.com/blacktop/brobeat/blob/master/etc/fields.yml

github.com

blacktop/brobeat/blob/master/brobeat.template.json

{
  "mappings": {
    "_default_": {
      "_all": {
        "norms": false
      },
      "_meta": {
        "version": "6.0.0-alpha1"
      },
      "dynamic_templates": [
        {
          "strings_as_keyword": {
            "mapping": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "match_mapping_type": "string"
          }
        }
      ],

This file has been truncated. show original

@andrewkroh is it because I am using the /etc/fields.yml and not the _meta folder?

I did a cookiecutter to init the beat, but maybe that was an older version?

Thanks

blacktop · December 30, 2016, 1:29am

I blew my beat away and started from scratch and make update didn't pick up the extra -key _types

andrewkroh · December 30, 2016, 2:37pm

The vendored version of the script you have appears to be looking at _meta/fields.yml.

blacktop · December 30, 2016, 4:10pm

So I was able to figure out how to add more sub-fields except that the way that it works is it creates nested fields under the _default mapping.

I usually like to use document _types to pull apart.. well document types. Is there a reason you have designed it this way? I can see that you are going to start using the concept of modules. For example an nginx filebeat module that I assume would create fields like this:

_index: filebeat-*
_type: filebeat
nginx.access.request.method: GET

To me it makes sense to have it be like:

_index: filebeat-*
_type: nginx-access
request.method: GET

I just think more deeply nested field names are harder to query?

Thoughts?

ruflin · January 3, 2017, 9:15am

This blog post should share some insights on types vs index: https://www.elastic.co/blog/index-vs-type In our case it didn't bring an advantage.

blacktop · January 4, 2017, 7:10pm

thank you @ruflin!

system · January 19, 2017, 11:42pm

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
Beats - Define field type with add_fields processor in *beat.yml? Beats	2	815	March 18, 2020
From filebeat.template.json to fields.yml Beats filebeat	5	2010	June 5, 2018
Converting filebeat.template.json to fields.yml Beats filebeat	2	503	December 20, 2018
Beats fields.yml and multi-fields Beats	6	765	June 19, 2018
Filebeat 6.2.2 - Index Template Beats filebeat	5	498	June 21, 2018

How to add other _types to the /etc/fields.yml in beats

Related topics