WARNING: Version 1.0.1 of Filebeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Changes to the Output Fields
editChanges to the Output Fields
editIn the default configuration, Filebeat structures its output documents a little differently from the Logstash Forwarder. This section discusses the differences and the options you have in case you want compatibility with the Logstash Forwarder.
Custom Fields are Grouped Under a "fields" Dictionary
editThe custom fields (added from the configuration file) are set as top-level
fields in Logstash Forwarder but are grouped together under a fields
dictionary in Filebeat. If you need the old behavior during the migration phase,
you can use the fields_under_root configuration option:
filebeat:
prospectors:
-
paths:
- "/var/log/*.log"
document_type: syslog
fields:
service: test01
fields_under_root: true
Filebeat uses "beat.hostname" for Sending the Hostname of the Server
editWhile the Logstash Forwarder sends the hostname of the server it’s running on in
the host field, Filebeat uses the beat.hostname field for the same purpose.
Because host is commonly used in the Logstash plugin ecosystem, the Beats
input plugin automatically copies beat.hostname into host.
The "file" Field Was Renamed to "source"
editThe file field was renamed to source. If you rely on this field being
named file, you can rename it by using the mutate filter in Logstash. For
example:
filter {
mutate {
rename => {
"source" => "file"
}
}
}
The "line" Field Was Removed
editThe line field was removed. This field wasn’t correct after restarts, and
making it correct would have resulted in a performance penalty. We recommend
using the offset field instead.