Hi,
We have a Filebeat config that has two prospectors. Both prospectors define their own tags and "fields" values. However, the fields values of the first prospector are being overwritten by the values of the second prospector. Here is the config:
filebeat.prospectors:
- type: log
enabled: true
paths: ["C:/path1"]
fields:
sw: SW_name_1
include_lines: ['ERROR', 'WARN']
multiline.pattern: ^([0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3} - )
multiline.negate: true
multiline.match: after
tags: ["tag1"]
- type: log
enabled: true
paths: ["C:/path2"]
fields:
sw: SW_name_2
include_lines: ['\AERROR', '\AWARN']
multiline.pattern: ^(TID)
multiline.negate: true
multiline.match: after
tags: ["tag2"]
So in KIbana we can only see "fields.sw:SW_name_2", even when the source is "C:/path1" and the tags contain "tag1". This has led us to believe that the "fields.sw" value is being overwritten somehow.
We then tried removing the
fields:
sw: SW_name_2
section. Then the "SW_name_1" value appeared in new entries as expected.
Any idea what might be the cause?
Thank you!
