What does mean the "make update" in defining field mapping in filebeat document?

Siavash_Fazli · September 5, 2022, 7:33am

Hi guys!

I need to change some fields type (event.original) in the fields.yml in the filebeat configuration.
But my changes don't apply in indexes after restarting filebeat.

there is a command in filebeat documentation that I can't find where I should run it:

documentation link:

and the first line is:

You must define the fields used by your Beat, along with their mapping details,
in *_meta/fields.yml*. After editing this file, run **make update**.

I installed filebeat 7.16.2 from a .deb file on my ubuntu server.

What is the make run command??

cheshirecat · September 5, 2022, 9:14am

Hello There!

The command make (docs) is used while compiling programs - as you installed software from *.deb package you won't need to use this command.

Siavash_Fazli · September 5, 2022, 9:22am

@cheshirecat

yes, I found it a few moments ago.
Now is there any way to change the field type in fields.yml file?

cheshirecat · September 5, 2022, 9:24am

When you're making changes is filebeat stoped at all nodes?

Siavash_Fazli · September 5, 2022, 9:45am

@cheshirecat

After changes, I restarted several times and even wait one day to see the effect.
but nothing changed.

This is what I want to change(original under event >> event.original) line 1761:

    - name: original
      level: core
      type: keyword
      description: 'Raw text message of the entire event. Used to demonstrate log integrity
        or where the full log message (before splitting it up into multiple parts) may
        be required, e.g. for reindex.

I need to change the type: keyword to wildcard
How can I do this?

system · October 3, 2022, 11:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.