WARNING: Version 5.6 of Filebeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Step 4: Loading the Index Template in Elasticsearch
editStep 4: Loading the Index Template in Elasticsearch
editIn Elasticsearch, index templates are used to define settings and mappings that determine how fields should be analyzed.
The recommended index template file for Filebeat is installed by the Filebeat packages. If you accept
the default configuration for template loading in the filebeat.yml
config file,
Filebeat loads the template automatically after successfully connecting to Elasticsearch. If the template
already exists, it’s not overwritten unless you configure Filebeat to do so.
If you want to disable automatic template loading, or you want to load your own template, you can change the settings for template loading in the Filebeat configuration file. If you choose to disable automatic template loading, you need to load the template manually. For more information, see:
- Configuring Template Loading - supported for Elasticsearch output only
- Loading the Template Manually - required for Logstash output
Configuring Template Loading
editBy default, Filebeat automatically loads the recommended template file, filebeat.template.json
,
if Elasticsearch output is enabled. You can configure filebeat to load a different template
by adjusting the template.name
and template.path
options in filebeat.yml
file:
output.elasticsearch: hosts: ["localhost:9200"] template.name: "filebeat" template.path: "filebeat.template.json" template.overwrite: false
By default, if a template already exists in the index, it is not overwritten. To overwrite an existing
template, set template.overwrite: true
in the configuration file.
To disable automatic template loading, comment out the template part under the Elasticsearch output.
The options for auto loading the template are not supported if you are using the Logstash output.
Loading the Template Manually
editIf you disable automatic template loading, you need to run the following command to load the template:
deb or rpm:
curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_template/filebeat' -d@/etc/filebeat/filebeat.template.json
mac:
cd filebeat-5.6.16-darwin-x86_64 curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_template/filebeat' -d@filebeat.template.json
docker:
docker run --rm docker.elastic.co/beats/filebeat:5.6.16 curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_template/filebeat' -d@filebeat.template.json
win:
PS C:\Program Files\Filebeat> Invoke-WebRequest -Method Put -InFile filebeat.template.json -Uri http://localhost:9200/_template/filebeat?pretty -ContentType application/json
where localhost:9200
is the IP and port where Elasticsearch is listening.
If you’ve already used Filebeat to index data into Elasticsearch, the index may contain old documents. After you load the index template, you can delete the old documents from filebeat-* to force Kibana to look at the newest documents. Use this command:
curl -XDELETE 'http://localhost:9200/filebeat-*'