Metricbeat fields defaults

GogLlundain · September 13, 2017, 1:43pm

Hi,

I'm running a test cluster and a production cluster, metricbeats is one of the things posting data into both of these.

In the metricbeat-* index pattern on my dev cluster the host field is searchable and aggregatable but on my production cluster I have a host field (searchable and analyzed) and a host.keyword (searchable and aggregatable) alongside it. I don't know how that got there, I haven't been messing with the mapping API or the template files.

Because my dev/prod clusters have different fields it's messing up my ElastAlert YAML, one references host and the other needs host.keyword.

Which setup is correct according to MetricBeat defaults and how do I get them in sync?

Gog

andrewkroh · September 13, 2017, 2:57pm

It sounds like the prod cluster doesn't have the index template installed. The host field should be a keyword datatype. See Loading the Index Template in Elasticsearch.

GogLlundain · September 13, 2017, 3:07pm

I wondered that too, but I don't remember having to do that in the dev cluster.

If I do post the template to the prod cluster presumably all new indexes will adhere to it but it won't apply to the existing data?

andrewkroh · September 13, 2017, 4:09pm

That's correct. It will not apply retroactively. The data in those indices would need to reindexed.

GogLlundain · September 14, 2017, 7:53am

Reindexing metricbeats data is hard...

I'll curl the template in and post back with the results.

andrewkroh · September 14, 2017, 2:31pm

Reindexing is pretty easy with the reindex API.

POST _reindex
{
  "source": {
    "index": "metricbeat-2017.01.01"
  },
  "dest": {
    "index": "metricbeat-2017.01.01-a"
  }
}

Then after that completes you delete the metricbeat-2017.01.01 index.

system · October 12, 2017, 2:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.