Filebeats to elastisearch
![filebeats to elastisearch filebeats to elastisearch](https://i.stack.imgur.com/NZm0B.png)
When logs are more easily searchable within a context, visual charts and graphs can easily be made for these different contexts, bringing visibility into your application, enabling stakeholders to understand and act upon the application behaviour.LogStream ships with an Elasticsearch API Source preconfigured to listen on Port 9200. The custom fields added to the index in Elasticsearch contain useful meta information that give the logs context, and thus the logs can be more easily searchable in that context. It is also easy to include the valueĮxample: It is easy to filter only logs coming from major version 2 and minor version 1, where the bugfix version does not matter, and origin fromAnitaLaptop Note that it is now easy to search upon specific combinations of versions, as well as less and greater than specific versions Repeat the steps of restarting Filebeat and refreshing the Index Pattern to remove the warnings # filebeat.yml - SNIP - # Add the following fields and fields_under_root underneath the path a combination of logs “fromAnitaLaptop” with a particular version combination because we are adding the version fields in addition to the existing custom field.a combination of major and minor, eg major version 2 and minor version 1.
#Filebeats to elastisearch full version
![filebeats to elastisearch filebeats to elastisearch](https://miro.medium.com/max/2946/0*BBa3TJY09eDvB08J.png)
To do so, ensure there are some new logs entries that have been generated since updating and restarting Filebeat, then Refresh Kibana > Discover to view the latest logs. It should now be easy to search on logs with this field. Refresh the index pattern by navigating to Management: Stack Management > Kibana: Index Patterns > select the index pattern, Refresh and Confirm Notice there is a warning there is no cached mapping for this field Verify the new field is showing as expected in Kibana > Discover Save the file and restart Filebeat if it was already running In this example, the field with the value fromAnitaLaptop will be added to every indexed document in Elasticsearch coming from /var/log/.log* In filebeat.yml add the fields and fields_under_root as follows below the path for one particular log, in this case the standard /var/log/.log*
![filebeats to elastisearch filebeats to elastisearch](https://www.elastic.co/guide/en/beats/filebeat/1.1/images/filebeat.png)
This simplifies searching for logs and creating charts aggregated by a particular version of the app on a particular server, for example if you wish to view logs “fromAnitaLaptop” running version 2.1.0 Step-by-step simple proof of concept example of adding one field to filebeat.yml Once these fields are added to the index they can be used to search and aggregate data based on these properties. What app the logs originated from, in this case “fromAnitaLaptop”.The version of the app eg version 2.1.0.The steps are applicable for logs from a test or production environment for one particular version of your app.