Use of filebeat templates - single template vs multiple templates

mvienne · March 6, 2020, 10:07am

I'm confused about the use of filebeat templates with the file fields.yml.

If I want to store two types of logs into elasticsearch, let's say apache logs and postgres logs, is it better to have a single template in the file fields.yml, or should I instead use multiple templates (logstash-6.2.3-apache* and logstash-6.2.3-postgres*)?

If I chose the former, is it really a good practice to merge the definition of unrelated fields into a single template?
If I chose the latter, am I supposed to setup my templates manually in elasticsearch with PUT _template/logstash-6.2.3-apache for example?

mvienne · March 6, 2020, 10:27am

I want to define my own templates, because I want to store logs other than apache and postgres which don't have modules available

system · April 3, 2020, 10:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.