Increase ignore_above for custom field

leprovokateur · March 21, 2019, 10:04am

Hi,

I use filebeat, logstash, and elasticsearch to index log messages, kibana for visualization.

Within logstash I use grok to split the message into different fields, one of which is "logmessage". If "logmessage" is too long, it is not indexed in elasticsearch and the value for "logmessage" is missing in visualizations, but visible in Discover. I suspect the value of ignore_above of 256 being the culprit as the missing values for logmessage are strings longer than 256 characters.

Where do I configure easily and sustainably the value of ignore_above for "logmessage"?

Thanks,
Robert

leprovokateur · March 21, 2019, 1:51pm

Hi,

I somehow solved the problem with

PUT _template/filebeat
{
  "index_patterns": ["filebeat-*"],
  "mappings":{
    "doc":{
"properties": {
            "logmessage" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 10000
                }
              }
            }
          }
}}}

But, I would like to know how to achieve this using filebeat. Anybody?

Regards,
Robert

system · April 18, 2019, 2:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.