How to change the default type "doc" for fileBeat index when ingest data to ES by ingest?

jackyshen · March 20, 2018, 2:24pm

I set the prospectors to ingest Nginx log to ES by fileBeat 5.5.0, and I found the type is "_type": "doc". I want to change the type name doc to other name, how to do it ?

**My config :**
filebeat.prospectors:

- type: log

  enabled: true

  paths:
    #- /var/log/*.log
    # 
    - D:\nginx-1.13.8\logs\access.log
    #- c:\programdata\elasticsearch\logs\*
    

**The  indexed document  in the ES.**
{
  "_index": "filebeat-2018.03.20",
  "_type": **"doc",**
  "_id": "P7-2Q2IBoQbqqlRr8Tx9",
  "_version": 1,
  "_score": 1,
  "_source": {
    "@timestamp": "2018-03-20T14:01:20.288Z",
    "beat": {
      "hostname": "HQ-PAB41656",
      "name": "HQ-PAB41656",
      "version": "5.5.0"
    },
    "input_type": "log",
    "message": "2018/03/20 22:01:11 [error] 7628#11008: *71 CreateFile() \"D:\\nginx-1.13.8/html/gggg\" failed (2: The system cannot find the file specified), client: 127.0.0.1, server: localhost, request: \"GET /gggg HTTP/1.1\", host: \"localhost:808\"",
    "offset": 35280,
    "source": "D:\\nginx-1.13.8\\logs\\error.log",
    "type": "log"
  },
  "fields": {
    "@timestamp": [
      "2018-03-20T14:01:20.288Z"
    ]
  }
}

andrewkroh · March 22, 2018, 11:56am

Mapping types are being removed from Elasticsearch and Filebeat doesn't allow the _type value to be configured to ensure there's only a single _type value. You can still customize the type value with fields: {type: foo} and fields_under_root: true in Filebeat

ES - Removal of Mapping Types

jackyshen · March 22, 2018, 4:04pm

From the url "ES - Removal of Mapping Types" you provided, it says the alternative is "Index per document type", suppose I have two types of log files ,one is type access.log , another is error.log, and I want to put them into different index ,such as access.log into index1 and error.log into index2 , how to configure it in ElasticSearch output of filebeat.yml( version 5.5 )? As I notice that I Just only can set one index name in the Elastic Search output.

andrewkroh · March 22, 2018, 4:33pm

You can use the indices configuration option to have it write documents to different indices.

system · April 19, 2018, 4:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.