All of my type: text have a .keyword with the entire log in it, but i want to be in the log_data_name type: text not in the .keyword.
I found a "solution" it's to set the
Error executing runtime field or scripted field on index pattern filebeat-*
if (doc['log_data_name'].value == 'car_mode')
{
^---- HERE
Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [log_data_name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.
Most likely You did not run filebeat setup before you started filebeat per the quick start instructions step 4 therefore the correct index template and mappings did not get loaded. Which means you are getting the "default mapping" which is the behavior you are seeing.
You will need to
Stop filebeat
cleanup / delete the index in Kibana
run filebeat setup -e
start filebeat to reload the data.
Note filebeat will not reload a file it has already loaded unless you clean out the filebeat data directory
Ok i do that but for the sudo filebeat setup -e i modif my filebeat.yml
i comment logstash.output and uncomment elasticsearch.output, but setup the filbeat i can uncomment my logstash.output ?
You did not say you were using logstash in the middle so there is more to do...
Yes comment out the logstash output during setup and set elasticsearch output.
Then comment out the elasticsearch output and uncomment the logstash output when running through logstash.
I usually highly recommend to get everything working using the direct architecture.
Filebeat -> Elasticsearch
Before trying and moving on to the more complex architecture.
Filebeat -> logstash -> Elasticsearch
Also since you are using logstash your pipeline needs to be "filebeat" aware please see this doc
You pipeline should look something like
input {
beats {
port => 5044
}
}
output {
if [@metadata][pipeline] {
elasticsearch {
hosts => "http://yourhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
pipeline => "%{[@metadata][pipeline]}"
user => "elastic"
password => "secret"
}
} else {
elasticsearch {
hosts => "http://yourhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "elastic"
password => "secret"
}
}
}
Yup but if you ever use a module with a pipeline that will not work / support it.
If you are not using a module or pipeline you are fine.. The if / else supports both.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
