I am getting this message on my filebeats index. I went to Management > Selected Index, then Refresh. But I still see this error. For example, I am looking for the log.file.path. Strange thing is, when I go to search for it in Management > Index, and then filter for this value, it does not show up. Am I missing something?
You didn't say where you were seeing the message, but it's probably in Discover? This happens when the Discover is trying to show you a field, but the mapping is missing. So if log.file.path is missing in your mappings, you should fix that.
Yes, that is correct.
How do I add this to my mappings?
It sounds like something has gotten out of sync between filebeat and kibana. I would recommend re-running the setup code from filebeat: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html#setup-assets
I ran that on one of my hosts. I noticed the following at the end of the output:
2020-11-12T13:51:34.824-0500 ERROR instance/beat.go:951 Exiting: Index management requested but the Elasticsearch output is not configured/enabled
Exiting: Index management requested but the Elasticsearch output is not configured/enabled```
I am using logstash in my filebeat.yml:
```output.logstash:
# The Logstash hosts
hosts: ["192.168.0.100:5044"]```
That IP is my server.If you read the link I sent earlier, it has a note about using non-Elasticsearch outputs. Please follow those instructions instead
When running the filebeat setup -e command, I get a lot of values that are 1024:
"certificate": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"curve": {
"ignore_above": 1024,
"type": "keyword"
},
"exponent": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"key": {
"properties": {
"algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"length": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"valid": {
"properties": {
"from": {
"type": "date"
},
"until": {
"type": "date"
}
}
},
"version": {
"type": "long"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_cert": {
"type": "boolean"
},
"san": {
"properties": {
"dns": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"other_fields": {
"type": "boolean"
},
"uri": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
},
"order": 1,
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": 10000
}
},
"max_docvalue_fields_search": 200,
"number_of_routing_shards": 30,
"number_of_shards": 1,
"refresh_interval": "5s"
}
}
}
What does this mean?
Here are the docs for that setting https://www.elastic.co/guide/en/elasticsearch/reference/current/ignore-above.html
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.