WARNING: Version 1.3 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Step 3: Loading the Index Template in Elasticsearch
editStep 3: Loading the Index Template in Elasticsearch
editIn Elasticsearch, index templates are used to define settings and mappings that determine how fields should be analyzed.
The recommended template file is installed by the Packetbeat packages. You can either configure Packetbeat to load the template automatically, or you can load the template manually.
- Configuring Template Loading - supported for Elasticsearch output only
- Loading the Template Manually - required for Logstash output
Configuring Template Loading
editTo configure Packetbeat to load the template, you must enable the Elasticsearch output. In the
Packetbeat configuration file, uncomment the template part under elasticsearch
section. By default
the template is named packetbeat. Adjust the path to your template file.
output: elasticsearch: hosts: ["localhost:9200"] # A template is used to set the mapping in Elasticsearch # By default template loading is disabled and no template is loaded. # These settings can be adjusted to load your own template or overwrite existing ones template: # Template name. By default the template name is packetbeat. #name: "packetbeat" # Path to template file path: "packetbeat.template.json" # Overwrite existing template #overwrite: false
The template is loaded when you start Packetbeat. By default, if a template
already exists in the index, it is not overwritten. To overwrite an existing template,
set overwrite: true
in the configuration file.
The options for auto loading the template are not supported if you are using the Logstash output.
Loading the Template Manually
editYou can load the template by running the following command:
deb or rpm:
curl -XPUT 'http://localhost:9200/_template/packetbeat' -d@/etc/packetbeat/packetbeat.template.json
mac:
cd packetbeat-1.3.1-darwin curl -XPUT 'http://localhost:9200/_template/packetbeat' -d@packetbeat.template.json
win:
PS C:\Program Files\Packetbeat> Invoke-WebRequest -Method Put -InFile packetbeat.template.json -Uri http://localhost:9200/_template/packetbeat?pretty
where localhost:9200
is the IP and port where Elasticsearch is listening.
If you’ve already used Packetbeat to index data into Elasticsearch, the index may contain old documents. After you load the index template, you can delete the old documents from packetbeat-* to force Kibana to look at the newest documents. Use this command:
curl -XDELETE 'http://localhost:9200/packetbeat-*'