Winlogbeat Mapping Template

rhyse · August 9, 2016, 6:46am

Hi

I am having the following issue Query Help search for $

I have loaded the default winlogbeat template (I'm using v5 Alpha 4 agents)

{
  "mappings": {
    "_default_": {
      "_all": {
        "enabled": true,
        "norms": {
          "enabled": false
        }
      },
      "dynamic_templates": [
        {
          "template1": {
            "mapping": {
              "doc_values": true,
              "ignore_above": 1024,
              "index": "not_analyzed",
              "type": "{dynamic_type}"
            },
            "match": "*"
          }
        }
      ],
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "message": {
          "index": "analyzed",
          "type": "string"
        }
      }
    }
  },
  "settings": {
    "index.refresh_interval": "5s"
  },
  "template": "winlogbeat-*"
}

Any ideas as to what the impact may be to this change ? Or any other work arounds ?

Thanks

andrewkroh · August 9, 2016, 9:34pm

Are you not using the index template provided with Winlogbeat? Why? By default the all of the event_data.* fields are not_analyzed strings.

This blog post might be of interest to you based on what you are querying: Monitoring Windows Logons with Winlogbeat

rhyse · August 9, 2016, 9:51pm

As far as I know I am using the index template from winlogbeat, from winlogbeat.template.json (pretty sure this was done to cover another issue I had)

How can I confirm this ?

Thanks

rhyse · August 9, 2016, 9:54pm

To clarify I'm not loading the index it from the agents, I loaded it at the server side, from memory

andrewkroh · August 9, 2016, 10:01pm

This will return the index template:

curl http://localhost:9200/_template/winlogbeat?pretty

This will return the mapping used for today's index. The data types should match whats in the index template.

curl http://localhost:9200/winlogbeat-2016.08.09/_mapping?pretty

You can paste the data to http://pastebin.com and share the link because it's probably too big to post directly on here.

rhyse · August 10, 2016, 8:08am

Ok. I was sure I had loaded that template, but it doesn't look like it was. I have now done so and I am getting better results

Will continue working through my issues.

Sorry for taking up your time

Thanks

system · August 31, 2016, 8:08am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.