Why filebeat create so many fields in the index of elasticsearch

99da02c8d5a5a0c0474d · April 18, 2019, 9:38am

Hi,all.I'm a newbie for ELK. We use filebeat to collect nginx logs and output to elasticsearch with the default template,but when I checking the kibana's index on the dashboard,I saw the index contains 1148 fields,why filebeat create so many fields ?

here is some of my filebeat config:

filebeat.inputs:

type: log
enabled: true
paths:
- /data/log/nginx/access.log
  close_inactive: 10m
  json.keys_under_root: true
  json.overwrite_keys: true
  fields_under_root: true
  fields:
  app_id: api-ngx

output.elasticsearch:
hosts: ["10.0.1.6:9200","10.0.1.47:9200","10.0.1.48:9200"]
indices:
- index: "api-ngx-%{+yyyy.MM.dd}"
when:
contains:
app_id: api-ngx

shrikantgulia · April 18, 2019, 12:16pm

its due to default property for certain type of logs.
Would suggest you to parse different type with the help of logstash and remove all the fields which you don't want

system · May 16, 2019, 12:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Filebeat] Huge mapping (nearly 5k fields) when ingesting logs Beats filebeat	3	518	November 13, 2020
Cisco Filebeat module loading 4286 fields Beats beats-module , filebeat	4	474	October 8, 2020
Lot of fields Elasticsearch	2	387	March 10, 2018
Filebeat modules Kibana	3	90	April 1, 2024
Create Multiple Indexes from filebeat Logstash	3	1525	September 30, 2021

Why filebeat create so many fields in the index of elasticsearch

Related topics