It makes it really difficult to do some more useful searches, e.g. searching for a prefix on nginx.access.url so I can find out what traffic is going to a legacy app, or to group nginx.access.referrers by a common domain.
Is there any way to configure Filebeat to ship fields as text, or is this potentially a feature that could be added?
I went through the Filebeat source code and couldn't find anything explicitly setting the field type, I think it's just a index template issue. Using this configuration in Filebeat makes the fields indexed as the default Logstash template has some bonus configuration:
If you customize the index template you can change how the data is mapped. You could setup the fields as text, but if you also want to aggregate on the fields then using a multi field will be best so you can do both.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.