The original error about Malformed mappings went away after encapsulating everything within "mappings" inside another field, in my case I called it "packetbeat_doc" :
Code: Select all
"mappings": {
"packetbeat_doc" : {
"_meta": {
"beat": "packetbeat",
"version": "7.15.2"
Then trying to load the index template again, got another error message:
Code: Select all
[user@nls1 ~]$ curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/packetbeat-7.15.2?pretty=true -d@packetbeat.template.json
{
"error" : "ActionRequestValidationException[Validation Failed: 1: template is missing;]",
"status" : 400
}
The new error was resolved by defining the template field at the top, in my case: "template" : "packetbeat-*"
Code: Select all
{
"template" : "packetbeat-*",
"index_patterns": [
"packetbeat-7.15.2-*"
],
"mappings": {
"packetbeat_doc" : {
"_meta": {
After that change, then the index template seemed to load just fine:
Code: Select all
[user@nls1 ~]$ curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/packetbeat-7.15.2?pretty=true -d@packetbeat.template.json
{
"acknowledged" : true
}
Now the issue appears to be setting an Output correctly to get the Packetbeat data to create indices correctly when going into ES. I've tried the following as an Output under Global Config > Outputs:
Code: Select all
elasticsearch {
hosts => ['localhost']
index => '%{[@metadata][beat]}-%{[@metadata][version]}'
}
Now there is an index named appropriately:
Code: Select all
[user@nls1 ~]$ curl -XGET localhost:9200/_cat/indices/packet*
green open packetbeat-7.15.2 5 1 108391 0 157.6mb 76.9mb
However, I'm unable to figure out how to access that data via Dashboards (only the usual Logstash indices appear viewable). Also, it appears that the Packetbeat data is being duplicated into the usual Logstash indices. Perhaps I need to prepend the Output with an if statement so only the Packetbeat data is processed by that Output and is not also processed by the built-in Output for NLS?