How to define the host field going forward

fhlmbrg · June 14, 2019, 8:43am

Hi,

Ref. the ECS schema definition of the host field https://github.com/elastic/ecs/blob/master/schemas/host.yml

When running av mix of Beats and Syslog/UDP inputs to Logstash, the host field gets defined differently. Beats insists on storing the hostname in a host.name object key, while Logstash insists on using the host field as a string.

Try mixing the two and you get the error message:

object mapping for [host] tried to parse field [host] as object, but found a concrete value

I'd like to conform to one way of defining this field, no matter which input I'm using. One format to rule them all

What is the correct way to handle the host field as of today and going forward? Should it be defined as an object or a string?

system · July 12, 2019, 8:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Where is the object mapping for [host] defined? Elasticsearch ecs-elastic-common-schema	15	3084	September 13, 2021
Question about logstash output plugin 7.9 and ecs Logstash ecs-elastic-common-schema	2	439	February 4, 2021
Splitting syslog/beat entries by host? Logstash	3	361	May 3, 2020
[host] is defined as an object in mapping [logs] but this name is already used for a field in other types Elasticsearch	2	1645	February 1, 2019
Disable 'Host' output field from filebeat Beats filebeat	4	2668	November 9, 2018

How to define the host field going forward

Related topics