Increase ignore_above for custom field

leprovokateur · March 21, 2019, 10:04am

Hi,

I use filebeat, logstash, and elasticsearch to index log messages, kibana for visualization.

Within logstash I use grok to split the message into different fields, one of which is "logmessage". If "logmessage" is too long, it is not indexed in elasticsearch and the value for "logmessage" is missing in visualizations, but visible in Discover. I suspect the value of ignore_above of 256 being the culprit as the missing values for logmessage are strings longer than 256 characters.

Where do I configure easily and sustainably the value of ignore_above for "logmessage"?

Thanks,
Robert

leprovokateur · March 21, 2019, 1:51pm

Hi,

I somehow solved the problem with

PUT _template/filebeat
{
  "index_patterns": ["filebeat-*"],
  "mappings":{
    "doc":{
"properties": {
            "logmessage" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 10000
                }
              }
            }
          }
}}}

But, I would like to know how to achieve this using filebeat. Anybody?

Regards,
Robert

system · April 18, 2019, 2:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to set the "ignore_above" on elasticsearch / using logstash and kibana Kibana	8	4299	November 20, 2019
Ignore_above setting is not respected Elasticsearch	2	409	July 14, 2020
How can i disable ignore_above for every existing and new index Elasticsearch	1	749	October 10, 2017
Impact of ignore_above property in ES mapping Elasticsearch	2	1552	July 6, 2017
How to set "ignore_above" : 256 to higher value while using python elasticsearch client? Kibana	9	3301	December 23, 2020

Increase ignore_above for custom field

Related topics