Optional fields in filebeat

sunilmchaudhari · April 21, 2016, 1:23pm

Hi,
I was using LSF with below extra fields in LSF.conf
type and Application as below.

{
"paths": [ 
"C:/logs/user-mgmt/user-mgmt.log"
],
"fields": { "type": "iam-logs","Application":"iam" }
}

And I was creating timebased index in logstash-indexer at server side in the name of {%Application%}-YYYY-MM-DD
Now, in filebeat there is facility to define index name as well at client side only.

So can anybdoy confirm that I should go ahead with indexing form filebeat ?
If I am defining index in FB configuration only then, do I need to mention index parameter in elasticsearch output in logstash-indexer?

Please guide me which approach is better? indexing in FB or the old approach of timebased indexing from LS-indexer conf.?

br,
Sunil

ruflin · April 21, 2016, 4:04pm

Filebeat by default creates daily indices. No configuration needed.

sunilmchaudhari · April 21, 2016, 4:22pm

Hi,
thanks Ruflin.
So, if I understand correctly, after FB, logstash role is mainly for filtering,parsing.

ruflin · April 22, 2016, 5:46am

Exactly. Filtering, parsing / processing, enhancing and routing to different outputs.