How to use copy-to in filebeat?

I am trying to use copy_to to copy the values of multiple fields into a group field so that it can then be queried as a single field. I found this link copy_to | Elasticsearch Reference [7.12] | Elastic , but when I try to do it in the dev tools it doesn't work with my filebeat index. I tried it with it already index and without it being indexed. Then I tried loading in the json template into the filebeat.yml and that also did not work.

I also found this link Copy fields | Filebeat Reference [7.12] | Elastic, but this doesn't do the groups. Any ideas on how I could accomplish this could be great.


I think that copy_to needs to be specified in the mappings. In this case you will need to update the mapping for the Filebeat's fields. Where did you try to set it up?

copy_fields of Filebeat should work. What configuration did you tried? Maybe sth the following could do the trick:

  - copy_fields:
        - from: message1
          to: event.message1
        - from: message2
          to: event.message2
      fail_on_error: false
      ignore_missing: true


I tried to set up the mapping for copy_to in a custom-template.json file that I made. And then in filebeat.yml I loaded in the template like

  path: "custom-template.json"

This did not create the field.

For the copy_field in filebeat I can get it to work with each thing being labeled as event.message1 and event.message2, but I am try to make it a list and not have message1 and message2 next to it, so I want it like [10, 12]. This is because I am trying to use graph in kibana and sometimes the list will be like [12, 10] and I want that to be able to be the same map as [10,12] and not create a new one.

