Index problem .keyword

AnotherGuy · June 24, 2022, 12:08pm

Hi,

I go a big problem today and i don't know how to resolve it.

I work on ELK 7.17.1 on the same computer and with filebeat on another computer which sends me log in live with a docker.

I import my template Dashboard so it's good but i found this error:

So i checked the index filebeat-* with the Data Visualizer and i have this :

All of my type: text have a .keyword with the entire log in it, but i want to be in the log_data_name type: text not in the .keyword.
I found a "solution" it's to set the

"fielddata": true

source:

but i don't know how to do it without the curl PUT ...

So my question is, how my logs can write directly on the type: text?

AnotherGuy · June 24, 2022, 1:16pm

Update!

I got this error:

Error executing runtime field or scripted field on index pattern filebeat-*

if (doc['log_data_name'].value == 'car_mode')
{
  
        ^---- HERE

Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [log_data_name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.

stephenb · June 24, 2022, 2:49pm

Most likely You did not run filebeat setup before you started filebeat per the quick start instructions step 4 therefore the correct index template and mappings did not get loaded. Which means you are getting the "default mapping" which is the behavior you are seeing.

You will need to

Stop filebeat
cleanup / delete the index in Kibana
run filebeat setup -e
start filebeat to reload the data.

Note filebeat will not reload a file it has already loaded unless you clean out the filebeat data directory

AnotherGuy · June 24, 2022, 3:19pm

Ok i do that but for the sudo filebeat setup -e i modif my filebeat.yml
i comment logstash.output and uncomment elasticsearch.output, but setup the filbeat i can uncomment my logstash.output ?

stephenb · June 24, 2022, 3:40pm

Ok

You did not say you were using logstash in the middle so there is more to do...

Yes comment out the logstash output during setup and set elasticsearch output.
Then comment out the elasticsearch output and uncomment the logstash output when running through logstash.

I usually highly recommend to get everything working using the direct architecture.

Filebeat -> Elasticsearch

Before trying and moving on to the more complex architecture.

Filebeat -> logstash -> Elasticsearch

Also since you are using logstash your pipeline needs to be "filebeat" aware please see this doc

You pipeline should look something like

input {
  beats {
    port => 5044
  }
}

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => "http://yourhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
      pipeline => "%{[@metadata][pipeline]}" 
      user => "elastic"
      password => "secret"
    }
  } else {
    elasticsearch {
      hosts => "http://yourhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
      user => "elastic"
      password => "secret"
    }
  }
}

AnotherGuy · June 24, 2022, 3:49pm

I have that

input {
  beats {
    port => 5044
    id => "from_filebeat"
  }
}

output {
  elasticsearch {
    hosts => ["http://192.168.66.11:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    #user => "elastic"
    #password => "changeme"
  }
}

stephenb · June 24, 2022, 3:51pm

Yup but if you ever use a module with a pipeline that will not work / support it.
If you are not using a module or pipeline you are fine.. The if / else supports both.

You should add the

manage_template => false

Ohh @AnotherGuy Welcome to the community!

AnotherGuy · June 24, 2022, 3:58pm

I got a new problem with my stream log because i removed
-/var/lib/filebeat/registry/filebeat/*
-/var/log/filebeat/*

I try to resolve it and i'll be back.
Thank for the help

AnotherGuy · July 6, 2022, 12:32pm

Okay i resolv the problem, i removed filebeat & follow the install Filebeat quick start: installation and configuration | Filebeat Reference [7.17] | Elastic

after the setup it's work's !

system · August 3, 2022, 12:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat & Kibana error: "Visualize: Fielddata is disabled on text fields by default." Kibana	2	2315	February 17, 2017
Data allways stack in field.keyword than field Kibana docker	9	488	September 9, 2022
Unable to get rid off error: "Visualize: Fielddata is disabled on text fields by default." Beats filebeat	3	1158	February 14, 2017
Nginx module and keyword fields Beats filebeat	3	978	November 30, 2017
Auditd module's kibana dashboards do not use keyword fields Beats auditbeat	3	431	June 6, 2020

Index problem .keyword

Related Topics