- Metricbeat Reference: other versions:
- Overview
- Getting started with Metricbeat
- Setting up and running Metricbeat
- Upgrading Metricbeat
- How Metricbeat works
- Configuring Metricbeat
- Specify which modules to run
- Specify general settings
- Load external configuration files
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode JSON fields
- Community ID Network Flow Hash
- Convert
- Drop events
- Drop fields from events
- Keep fields from events
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Add Observer metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Extract array
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure project paths
- Configure the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- Autodiscover
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- metricbeat.reference.yml
- Beats central management
- Modules
- Aerospike module
- Apache module
- aws module
- Ceph module
- consul module
- coredns module
- Couchbase module
- couchdb module
- Docker module
- Dropwizard module
- Elasticsearch module
- Elasticsearch ccr metricset
- Elasticsearch cluster_stats metricset
- Elasticsearch index metricset
- Elasticsearch index_recovery metricset
- Elasticsearch index_summary metricset
- Elasticsearch ml_job metricset
- Elasticsearch node metricset
- Elasticsearch node_stats metricset
- Elasticsearch pending_tasks metricset
- Elasticsearch shard metricset
- envoyproxy module
- Etcd module
- Golang module
- Graphite module
- HAProxy module
- HTTP module
- Jolokia module
- Kafka module
- Kibana module
- Kubernetes module
- Kubernetes apiserver metricset
- Kubernetes container metricset
- Kubernetes event metricset
- Kubernetes node metricset
- Kubernetes pod metricset
- Kubernetes state_container metricset
- Kubernetes state_deployment metricset
- Kubernetes state_node metricset
- Kubernetes state_pod metricset
- Kubernetes state_replicaset metricset
- Kubernetes state_statefulset metricset
- Kubernetes system metricset
- Kubernetes volume metricset
- kvm module
- Logstash module
- Memcached module
- MongoDB module
- mssql module
- Munin module
- MySQL module
- Nats module
- Nginx module
- PHP_FPM module
- PostgreSQL module
- Prometheus module
- RabbitMQ module
- Redis module
- System module
- System core metricset
- System cpu metricset
- System diskio metricset
- System filesystem metricset
- System fsstat metricset
- System load metricset
- System memory metricset
- System network metricset
- System process metricset
- System process_summary metricset
- System raid metricset
- System socket metricset
- System socket_summary metricset
- System uptime metricset
- traefik module
- uwsgi module
- vSphere module
- Windows module
- ZooKeeper module
- Exported fields
- Aerospike fields
- Apache fields
- aws fields
- Beat fields
- Ceph fields
- Cloud provider metadata fields
- Common fields
- consul fields
- coredns fields
- Couchbase fields
- couchdb fields
- Docker fields
- Docker fields
- Dropwizard fields
- ECS fields
- Elasticsearch fields
- envoyproxy fields
- Etcd fields
- Golang fields
- Graphite fields
- HAProxy fields
- Host fields
- HTTP fields
- Jolokia fields
- Jolokia Discovery autodiscover provider fields
- Kafka fields
- Kibana fields
- Kubernetes fields
- Kubernetes fields
- kvm fields
- Logstash fields
- Memcached fields
- MongoDB fields
- mssql fields
- Munin fields
- MySQL fields
- Nats fields
- Nginx fields
- PHP_FPM fields
- PostgreSQL fields
- Process fields
- Prometheus fields
- RabbitMQ fields
- Redis fields
- System fields
- traefik fields
- uwsgi fields
- vSphere fields
- Windows fields
- ZooKeeper fields
- Monitoring Metricbeat
- Securing Metricbeat
- Troubleshooting
- Get help
- Debug
- Common problems
- "open /compat/linux/proc: no such file or directory" error on FreeBSD
- Metricbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Contributing to Beats
Step 3: Load the index template in Elasticsearch
editStep 3: Load the index template in Elasticsearch
editA connection to Elasticsearch is required to load the index template. If the output is not Elasticsearch, you must load the template manually.
In Elasticsearch, index templates are used to define settings and mappings that determine how fields should be analyzed.
The recommended index template file for Metricbeat is installed by the
Metricbeat packages. If you accept the default configuration in the
metricbeat.yml
config file, Metricbeat loads the template automatically
after successfully connecting to Elasticsearch. If the template already exists,
it’s not overwritten unless you configure Metricbeat to do so.
Configure template loading
editBy default, Metricbeat automatically loads the recommended template file,
fields.yml
, if the Elasticsearch output is enabled. If you want to use the
default index template, no additional configuration is required. Otherwise, you
can change the defaults in the metricbeat.yml
config file
to:
-
Load a different template
setup.template.name: "your_template_name" setup.template.fields: "path/to/fields.yml"
If the template already exists, it’s not overwritten unless you configure Metricbeat to do so.
-
Overwrite an existing template
setup.template.overwrite: true
-
Disable automatic template loading
setup.template.enabled: false
If you disable automatic template loading, you need to load the template manually.
-
Change the index name
If you’re sending events to a cluster that supports index lifecycle management, see Configure index lifecycle management to learn how to change the index name.
Metricbeat uses time series indices, by default, when index lifecycle management is disabled or unsupported. The indices are named
metricbeat-7.2.1-yyyy.MM.dd
, whereyyyy.MM.dd
is the date when the events were indexed. To use a different name, you set theindex
option in the Elasticsearch output. The value that you specify should include the root name of the index plus version and date information. You also need to configure thesetup.template.name
andsetup.template.pattern
options to match the new name. For example:output.elasticsearch.index: "customname-%{[agent.version]}-%{+yyyy.MM.dd}" setup.template.name: "customname" setup.template.pattern: "customname-*"
If you’re using pre-built Kibana dashboards, also set the
setup.dashboards.index
option. For example:setup.dashboards.index: "customname-*"
See Load the Elasticsearch index template for the full list of configuration options.
Load the template manually
editTo load the template manually, run the setup
command. A
connection to Elasticsearch is required.
If another output is enabled, you need
to temporarily disable that output and enable Elasticsearch by using the
-E
option. The examples here assume that Logstash output is enabled. You can
omit the -E
flags if Elasticsearch output is already enabled.
If you are connecting to a secured Elasticsearch cluster, make sure you’ve configured credentials as described in Step 2: Configure Metricbeat.
If the host running Metricbeat does not have direct connectivity to Elasticsearch, see Load the template manually (alternate method).
To load the template, use the appropriate command for your system.
deb and rpm:
metricbeat setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
mac:
./metricbeat setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
brew:
metricbeat setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
linux:
./metricbeat setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
docker:
docker run docker.elastic.co/beats/metricbeat:7.2.1 setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
win:
Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
From the PowerShell prompt, change to the directory where you installed Metricbeat, and run:
PS > .\metricbeat.exe setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
Force Kibana to look at newest documents
editIf you’ve already used Metricbeat to index data into Elasticsearch,
the index may contain old documents. After you load the index template,
you can delete the old documents from metricbeat-*
to force Kibana to look
at the newest documents.
Use this command:
deb and rpm:
curl -XDELETE 'http://localhost:9200/metricbeat-*'
mac:
curl -XDELETE 'http://localhost:9200/metricbeat-*'
linux:
curl -XDELETE 'http://localhost:9200/metricbeat-*'
win:
PS > Invoke-RestMethod -Method Delete "http://localhost:9200/metricbeat-*"
This command deletes all indices that match the pattern metricbeat-*
.
Before running this command, make sure you want to delete all indices that match
the pattern.
Load the template manually (alternate method)
editIf the host running Metricbeat does not have direct connectivity to Elasticsearch, you can export the index template to a file, move it to a machine that does have connectivity, and then install the template manually.
To export the index template, run:
deb and rpm:
metricbeat export template > metricbeat.template.json
mac:
./metricbeat export template > metricbeat.template.json
brew:
metricbeat export template > metricbeat.template.json
linux:
./metricbeat export template > metricbeat.template.json
win:
PS > .\metricbeat.exe export template --es.version 7.2.1 | Out-File -Encoding UTF8 metricbeat.template.json
To install the template, run:
deb and rpm:
curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/metricbeat-7.2.1 -d@metricbeat.template.json
mac:
curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/metricbeat-7.2.1 -d@metricbeat.template.json
linux:
curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/metricbeat-7.2.1 -d@metricbeat.template.json
win:
PS > Invoke-RestMethod -Method Put -ContentType "application/json" -InFile metricbeat.template.json -Uri http://localhost:9200/_template/metricbeat-7.2.1
On this page