Hi,
Our existing filebeat version (in staging) is 7.8.0 where we create a lot of visualization through it (using filebeat-* index pattern)
Most of this visualization is aggregation in terms using the agent.hostname and it works fine.
Then, we have this scenario where we added 7.8.1 filebeat version for prod data. Query time takes longer and sometimes shard failure error occured. I know for a fact that one rule of elastic is that, all elastic component should be the same. But how critical is it to combine these version in terms of aggregation, search and filter?
Me thinks it is because on field mapping is different from previous version. Our previous mapping is aggregating using the text field while the newest version is aggregating using the keyword field. I need someone who can explain if im correct? or no.