I'm finalising a deployment for a tenant based system whereby there are various systems pushing logs through logstash.
Having filebeat set document_type based on prospectors seems like a bad idea. What if people don't set this correctly, or make some mistake? Is it overly taxing to have logstash handle this, adding the document_type as necessary, and relying on grok's to handle the heavy lifting?
I feel like leaving the responsibility of setting document_type to filebeat is a bad idea.
Would love to hear peoples opinions.