Metricbeat fields defaults

Elastic Stack Beats
1

Hi,

I'm running a test cluster and a production cluster, metricbeats is one of the things posting data into both of these.

In the metricbeat-* index pattern on my dev cluster the host field is searchable and aggregatable but on my production cluster I have a host field (searchable and analyzed) and a host.keyword (searchable and aggregatable) alongside it. I don't know how that got there, I haven't been messing with the mapping API or the template files.

Because my dev/prod clusters have different fields it's messing up my ElastAlert YAML, one references host and the other needs host.keyword.

Which setup is correct according to MetricBeat defaults and how do I get them in sync?

Gog

2

It sounds like the prod cluster doesn't have the index template installed. The host field should be a keyword datatype. See Loading the Index Template in Elasticsearch.

3

I wondered that too, but I don't remember having to do that in the dev cluster.

If I do post the template to the prod cluster presumably all new indexes will adhere to it but it won't apply to the existing data?

4

That's correct. It will not apply retroactively. The data in those indices would need to reindexed.

5

Reindexing metricbeats data is hard... :stuck_out_tongue:

I'll curl the template in and post back with the results.

6

Reindexing is pretty easy with the reindex API.

POST _reindex
{
  "source": {
    "index": "metricbeat-2017.01.01"
  },
  "dest": {
    "index": "metricbeat-2017.01.01-a"
  }
}

Then after that completes you delete the metricbeat-2017.01.01 index.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.