Winlogbeat Mapping Template

rhyse · August 9, 2016, 6:46am

Hi

I am having the following issue Query Help search for $

I have loaded the default winlogbeat template (I'm using v5 Alpha 4 agents)

{
  "mappings": {
    "_default_": {
      "_all": {
        "enabled": true,
        "norms": {
          "enabled": false
        }
      },
      "dynamic_templates": [
        {
          "template1": {
            "mapping": {
              "doc_values": true,
              "ignore_above": 1024,
              "index": "not_analyzed",
              "type": "{dynamic_type}"
            },
            "match": "*"
          }
        }
      ],
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "message": {
          "index": "analyzed",
          "type": "string"
        }
      }
    }
  },
  "settings": {
    "index.refresh_interval": "5s"
  },
  "template": "winlogbeat-*"
}

Any ideas as to what the impact may be to this change ? Or any other work arounds ?

Thanks

andrewkroh · August 9, 2016, 9:34pm

Are you not using the index template provided with Winlogbeat? Why? By default the all of the event_data.* fields are not_analyzed strings.

This blog post might be of interest to you based on what you are querying: Monitoring Windows Logons with Winlogbeat

rhyse · August 9, 2016, 9:51pm

As far as I know I am using the index template from winlogbeat, from winlogbeat.template.json (pretty sure this was done to cover another issue I had)

How can I confirm this ?

Thanks

rhyse · August 9, 2016, 9:54pm

To clarify I'm not loading the index it from the agents, I loaded it at the server side, from memory

andrewkroh · August 9, 2016, 10:01pm

This will return the index template:

curl http://localhost:9200/_template/winlogbeat?pretty

This will return the mapping used for today's index. The data types should match whats in the index template.

curl http://localhost:9200/winlogbeat-2016.08.09/_mapping?pretty

You can paste the data to http://pastebin.com and share the link because it's probably too big to post directly on here.

rhyse · August 10, 2016, 8:08am

Ok. I was sure I had loaded that template, but it doesn't look like it was. I have now done so and I am getting better results

Will continue working through my issues.

Sorry for taking up your time

Thanks

system · August 31, 2016, 8:08am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Adding .raw to winlogbeat messages Beats winlogbeat	11	1718	September 12, 2016
Winlogbeat missing mapping fields Beats filebeat , packetbeat , metricbeat , winlogbeat	19	1778	November 20, 2020
Should I keep beat version in index-template? Beats winlogbeat	1	329	December 25, 2021
Winlogbeat dont use custom template Beats winlogbeat	1	556	December 5, 2019
Winlogbeat 1.x works fine but can't get 5 up Beats winlogbeat	2	791	December 14, 2016

Winlogbeat Mapping Template

Related topics