Index template pattern & with different beats and kibana

Hi,

Still trying to get my head around indexes, templates and patterns.

I understand that its best practice to have metricbeat and filebeat to use separate indexes as their is potential for conflicts with fields (e.g one defines 'source' as and object and the other defines 'source' as an string).

So this is how default templates are setup for each beat.

I really would like to have a single 'dev-*' index pattern in kibana so that we can have a single dashboard containing visualization from different beats

with that in mind how is the setup.template.pattern property used by the beat when it setups up the template and dashboards? according to the documentation it tells elasticsearch that the template should be applied to every index that matches that pattern? How does the beat tell kibana which pattern to create.

So would the following properties be suitable?

setup.template.name: "dev-filebeat-%{[beat.version]}"
setup.template.pattern: ""ev-filebeat-%{[beat.version]}-"
setup.dashboards.index: "dev-"
output.elasticsearch.index: "dev-filebeat-%{[beat.version]}-%{+yyyy.MM.dd}"
output.logstash.index: "dev-filebeat-%{[beat.version]}-"

I really would like to have a single 'dev-*' index pattern in kibana so that we can have a single dashboard containing visualization from different beats

You can make a dashboard with visualisations using different index patterns. The index pattern is selected at the vis level, but the dashboard can use any vis.

Assuming you'd still want a single index pattern in Kibana, I would still leave the templates separated and just create a custom index pattern in Kibana. Unfortunately, I don't think we have a way to create that automatically, but assuming the templates are fine, you can create it from the Kibana UI without much loss in functionality (the formatting of some fields, which we provide in our index pattern, would be lost).

This topic was automatically closed after 21 days. New replies are no longer allowed.