Hi there,
using winlogbeat-7.5.0-windows-x86_64 on different Windows OS (2012R2,2016,10,...) we're regularly hitting the es (7.4.1) field limitation for our daily indices ("logstash-winlogbeat-%{+YYYY.MM}"). Logstash does no filtering, just "input { beats { port => 57514 } }". My questions:
If you need any further information, let me know.
Thank you!
Sounds like you aren't using the index template provided by Winlogbeat. It should set a higher total field limit if used. I think it puts index.mapping.total_fields.limit: 10000 into the index template settings.
With index naming of logstash-winlogbeat-* you'll need to either configure Winlogbeat with the appropriate index pattern settings before running setup against Elasticsearch. Or export the template to file from Winlogbeat and then hand modify it to apply to the logstash-winlogbeat-* index pattern. See the documentation about installing the index template for more details. https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-template.html#load-template-manually
Hi Andrew,
thanks, that was the case. We were shipping to logstash and not managing any templates.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.