Override analyzer for Logstash extracted field

(Daniel B.) #1

We are working on setting up logstash to manage our log files. One of the issues we have, is that some of the mesages are written with "**" in the string, and we need to retain that when we try and search (so that we can see all the messages with "**" in the last X minutes, etc).

From what I have read, this requires overriding the analyzer for the field to be whitespace, not keyword (which is what it currently comes in as). But, I can't figure out where to set that up.

We are using Filebeats 6.3.0, with monthly indexes of filebeats-6.3.0-yyyy.mm, so I'm thinking it needs to be on the template somewhere.

There are options from filebeat to load up the default template into ES, but that doesn't contain all the fields that will be extracted from logstash filters. Do I need to change this template with all the fields that I will be extracting, or just the one that I need to override the mapping for? There doesn't appear to be any options on the elasticsearch output plugin for logstash, either.

(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.