Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default mapping for "log" field used in examples #5920

Closed
zytek opened this issue Dec 19, 2017 · 3 comments
Closed

Default mapping for "log" field used in examples #5920

zytek opened this issue Dec 19, 2017 · 3 comments
Labels
enhancement Filebeat Filebeat :Processors

Comments

@zytek
Copy link
Contributor

zytek commented Dec 19, 2017
edited
Loading

Hello again,

I've setup Filebeat 6.0.1 on Kubernetes, based on https://github.com/elastic/beats/blob/master/deploy/kubernetes/filebeat-kubernetes.yaml
which seems to follow best practices for kubernetes deployments.

I do not use any ingest pipelines nor any other processing of log entries. I just wish to send pure log lines from docker logs to elasticsearch. Example config part:

    - type: log
      paths:
        - /var/lib/docker/containers/*/*.log
      json.message_key: log
      json.keys_under_root: true

This configuration parses docker logs and sends log message to ES index under "log" field. This field has type: keyword as seen in mapping

              "log" : {
                "properties" : {
                  "level" : {
                    "type" : "keyword",
                    "ignore_above" : 1024
                  },

I believe this should either:
a) be of type "text" for more meaningful user experience and easier "grepping" of log entries
b) or these log lines should be send under "message" key which has type: text already set

Could you advice how to handle that? Either default examples should make filebeat send log lines under "message" field or mapping of "log" field should be changed. As I am not experienced here I cannot tell which approach is better.

As a workaround, can you provide info how to achieve a) ? I can't tell from the docs. The json.message_key setting applies to source file (docker json logs from json-file log driver) and there doesn't seem to be any setting to tell it to send this under message field

Filebeat version 6.0.1
@zytek
Copy link
Contributor Author

zytek commented Dec 20, 2017

FYI, I've manually loaded template that I altered to mention "log" field and set it type to "text", the same as "message" field. Kibana now behaves properly when searching for log events. This should be the default configuration, I can assist in fixing this if you'll guide me a lil bit ;-)

@exekias exekias mentioned this issue Dec 20, 2017
Closed
@exekias
Copy link
Contributor

exekias commented Dec 20, 2017

Good catch! and thank you for reporting, we should actually switch defaults to use the new docker prospector, it will both decode JSON automatically, extract the timestamp, and put log lines under message key, which is mapped.

I have created #5934, you are more than welcome to contribute with this change, I'll take it at some point soon if you are not in the mood :)

@zytek zytek mentioned this issue Dec 28, 2017
Open
@exekias exekias mentioned this issue Dec 28, 2017
Merged
exekias pushed a commit that referenced this issue Dec 28, 2017
@zytek @exekias
Use docker prospector in K8S examples, fixes #5934 and #5920 (#5963)
241aa3c 
New docker prospector properly sends log entries in message
field (see #5920). Remove unused POD_NAMESPACE env var from
filebeat manifest.
@exekias
Copy link
Contributor

exekias commented Dec 31, 2017

closed by #5963

@exekias exekias closed this as completed Dec 31, 2017
exekias pushed a commit to exekias/beats that referenced this issue Jan 3, 2018
@zytek @exekias
Use docker prospector in K8S examples, fixes elastic#5934 and elastic…
882f3ee 
…#5920 (elastic#5963)

New docker prospector properly sends log entries in message
field (see elastic#5920). Remove unused POD_NAMESPACE env var from
filebeat manifest.
(cherry picked from commit 241aa3c)
andrewkroh pushed a commit that referenced this issue Jan 3, 2018
@exekias @andrewkroh
Cherry-pick #5963 to 6.1: Use docker prospector in examples, fixes #5934
dfdeca7 
 and #5920 (#5976)

* Use docker prospector in K8S examples, fixes #5934 and #5920 (#5963)

New docker prospector properly sends log entries in message
field (see #5920). Remove unused POD_NAMESPACE env var from
filebeat manifest.
(cherry picked from commit 241aa3c)

* Update NOTICE.txt
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@exekias @andrewkroh
Cherry-pick elastic#5963 to 6.1: Use docker prospector in examples, f…
eb481df 
…ixes elastic#5934 and elastic#5920 (elastic#5976)

* Use docker prospector in K8S examples, fixes elastic#5934 and elastic#5920 (elastic#5963)

New docker prospector properly sends log entries in message
field (see elastic#5920). Remove unused POD_NAMESPACE env var from
filebeat manifest.
(cherry picked from commit d066553)

* Update NOTICE.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Filebeat Filebeat :Processors
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@exekias @zytek