Winlogbeat add "fields" and "fields_under_root" configuration options

[tommynsong]

We have used cases where we add custom fields to each log events.
Currently we are doing that with "fields" options for logstash-forwarded/filebeat and we do mutation and add_field with logstash on Windows.
We would like to replace logstash with Winlogbeat on Windows as a shipper, but we currently can't due to not able to create custom fields.

[ruflin]

That also relates to #726

[monicasarbu]

You can currently configure tags in the shipper section that can help you identify the server that generated the data. When tags is enabled, then each json object will contain a tags field with the value that you set in the configuration file. Would that help you?

I think it makes sense to add the fields configuration to libbeat, so all Beats would make use of it. With the fields configuration you can add more fields to the exported than you can with tags.

[tommynsong]

@monicasarbu i looked at tags, but that doesn't serve our used cases.
We insert a few key value pairs that tags cannot solve.
For example:
{
"customer_id": string,
"machine_id": string,
}

we create some sort of data domain and group those events based on the value of "customer_id".
i guess we can use tag, if we can ensure the order of data to be inserted into the tag array, but that is very error prone.

[monicasarbu]

Yes, I agree that tags is not an ideal solution as you need to rely on the ordering, but it might be a good temporary solution until we implement fields in libbeat.

[tsg]

+1, thanks @tommynsong for opening the issue. We'll try to get this in one of the next releases.

[andrewkroh]

Closing. Please follow #726 for updates.

[andrewkroh]

This feature has been implemented. See #1092 for usage examples. This will be released in v5. It can be tested now from the 5.0 development builds.