Hello,
on to the next challange.
I've setup Elasticsearch, Kibana and Filebeat. Filebeat is sending json files to ES>Kibana.
This part is working. Though, in Kibana the data is only in the 'Discover' menu.
A few questions:
-
which part of the filebeat.yml defines what the data view in the 'discover' pane is called? Currently it's just a generic looking "filebeat-*". I've tried modifying the filebeat.yml at several places in hopes to find out which one would change the naming. No luck so far.
-
And more importantly, without using Logstash, can I somehow have Filebeats send the json 'message' field unscrambled to ES>Kibana i.e. to display different the different values within the message field as columns, so the data in Kibana can acatully be analyzed in a useful way?
filebeat.yml:
filebeat.inputs:
- type: log
enabled: true
paths:
- C:\Program Files\temp\jsondump.json
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
setup.template.enabled: true
setup.template.name: "filebeat"
setup.template.fields: "fields.yml"
setup.template.settings:
index.number_of_shards: 1
setup.dashboards.enabled: true
setup.kibana:
host: "172.1.1.50:5601"
output.elasticsearch:
hosts: ["172.1.1.50:9200"]
protocol: "http"
username: "elastic"
password: "*******"
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
logging.level: debug
logging.selectors: ["*"]
paths: 'C:\Program Files\Filebeat\logs\'
name: "filebeattest"
There is a high possibility I've configured to many lines and the filebeat.yml config contains lines that potential could be removed and are not required 
I did try out adding:
processors:
- decode_json_fields:
fields: ["message"]
target: ""
to the filebeat.yml. But after adding those lines, the filebeat service won't start at all.
Thank you!
