Add it to setup.template.fields file. But the index template doesn't have the "enabled: false" applied.
Is there a way to disable a field from indexing ?
- name: message
level: core
type: text
enabled: false
description: 'For log events the message field contains the log message'
example: This is test from Openstack Swift
Regards // Hugo
Hi Hugo,
Welcome to the community.
can you please reformulate your question as it is not clear?
Hi @ibra_013 ,
In the document, there's enabled option for field. There're around 30 fields in out doc. I'd like to disable index for few fields. The doc is sent via Filebeat. I thought there's option for filebeat to create index template with fields disabled.
How to specify enabled: false in Filebeat's fields.yml ?
Thanks // Hugo
You're linking to Elasticsearch documentation there, so it's not a Filebeat concept you can configure. You need to create your own template that sets this. Alternatively you can just drop the field with Filebeat.
Also 6.X of the stack id EOL, you need to upgrade.
Also 6.X of the stack id EOL, you need to upgrade.
Sorry for confusion, we are using 7.4.
In the Beats document, there're enabled & index mapping parameters.
What's the difference between these two parameters?
Example of my use case :
There're account, account_keyword and additional_info fields in a doc.
We're looking for ways to store all three fields in ES but not index the account and additional_info. The goal is when the user searches the account_keyword, the account and additional_info are visible but not searchable.
},
"account" : {
"type" : "text",
"index" : false,
"norms" : false
},
"account_keyword" : {
"type" : "keyword",
"ignore_above" : 1024
},
"additional_info" : {
"type" : "text",
"index" : false,
"norms" : false
},
I found three different mapping for an index. Not very sure about which is the right one for the use case. I tested the index:false in the filebeat's fields.yml and I can see the result in the above.
index: false
index: no
enabled: false
The documentation you linked to is for building your own custom beat, it does not apply to Filebeat sorry.
Thanks to point it out. @warkolm I noticed this option in the fields.yaml from package.
It seems commonly used in filebeat.x86_64 7.10.2-1
[root@hkd filebeat]# grep index: fields.yml -B 5
- name: text
type: text
norms: false
default_field: false
description: The stack trace of this error in plain text.
index: false
--
- name: x509.public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
--
- name: client.x509.public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
--
- name: server.x509.public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
--
- name: public_key_exponent
level: extended
type: long
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
index: false
--
description: "Server log file"
type: group
fields:
- name: stacktrace
description": Stack trace in case of errors
index: false
[root@hkd filebeat]# yum list installed | grep filebeat
filebeat.x86_64 7.10.2-1 @/filebeat-oss-7.10.2-x86_648F6NQU
Regards // Hugo
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.