Add the ability to set custom fields

[andrewkroh]

This pull request implements the feature requested in #726.

Changes Affecting All Beats

• Added a fields and fields_under_root as options available
  under the shipper configuration. These settings are analogous to settings
  currently available in Filebeat. fields defined in the prospector
  configuration take precedence over fields define in the shipper
  configuration.

Changes Affecting Filebeat

• Added the ability to set a list of tags for each prospector. These tags will
  be appended to the list of tags specified in the shipper configuration.
• Scalar values under fields are not longer automatically converted to strings.

Changes Affecting Winlogbeat

• Added the ability to set tags, fields, and fields_under_root as options
  for each event log.

Examples

Topbeat

shipper:
  fields_under_root: true
  fields:
    aws:
      instance_id: i-33458498
      region: us-east-1
output:
  console:
    pretty: true

{
  "@timestamp": "2016-03-02T03:53:49.793Z",
  "aws": {
    "instance_id": "i-33458498",
    "region": "us-east-1"
  },
  "beat": {
    "hostname": "x",
    "name": "x"
  },
  "count": 1,
  "proc": {
    "cmdline": "/usr/bin/agentX",
    "cpu": {
      "start_time": "Feb05",
      "system": 7178,
      "total": 10789,
      "total_p": 0,
      "user": 3611
    },
    "mem": {
      "rss": 2162688,
      "rss_p": 0,
      "share": 0,
      "size": 2593021952
    },
    "name": "agentX",
    "pid": 395,
    "ppid": 1,
    "state": "running",
    "username": "someuser"
  },
  "type": "process"
}

Filebeat

filebeat:
  prospectors:
    - paths: ["/var/log/myapp/log.json"]
      fields: {app_id: 456789}
      tags: [json]
output:
  logstash:
    hosts: ["localhost:5044"]
shipper:
  tags: ['digital ocean', centos7]
  fields:
    customer_id: 1234567

{
  "@timestamp": "2016-03-02T04:12:32.491Z",
  "beat": {
    "hostname": "x",
    "name": "x"
  },
  "count": 1,
  "fields": {
    "app_id": 456789,
    "customer_id": 1234567
  },
  "input_type": "log",
  "message": "{ \"threadName\": \"MainThread\", \"name\": \"root\", \"thread\": 140735202359648, \"created\": 1336281068.506248, \"process\": 41937, \"processName\": \"MainProcess\", \"relativeCreated\": 9.100914001464844, \"module\": \"tests\", \"funcName\": \"testFormatKeys\", \"levelno\": 20, \"msecs\": 506.24799728393555, \"pathname\": \"tests/tests.py\", \"lineno\": 60, \"asctime\": [\"12-05-05 22:11:08,506248\"], \"message\": \"testing logging format\", \"filename\": \"tests.py\", \"levelname\": \"INFO\", \"special\": \"value\", \"run\": 12 }",
  "offset": 0,
  "source": "/var/log/myapp/log.json",
  "tags": [
    "digital ocean",
    "centos7",
    "json"
  ],
  "type": "log"
}

Winlogbeat

winlogbeat:
  event_logs:
    - name: MyCustomEventLog
      tags: [web]
      fields_under_root: true
      fields: {service_id: web01}
shipper:
  fields_under_root: true
  fields:
    aws:
      instance_id: i-33458498
      region: us-east-1
output:
  console:
    pretty: true

See the test cases for more examples.

Open Questions

• Are you happy with keeping this called fields? (same as it's called in Filebeat)

[andrewkroh]

The Jenkins failure is caused by #1083.

[ruflin]

+1 on approaching this directly with an eventMetadata object. That makes it easy to extend it later with other fields.

[ruflin]

LGTM.

Even though fields has its issue, as far as a I know we haven't found a better option yet and people got used to call it fields, so I would stay with it.

What happens if inside a prospector fields_under_root:true is set and in the shipper fields_under_root:false?

[monicasarbu]

Great work! LGTM

[urso]

we still need tags, if we got fields?

[urso]

All scalar values will be interpreted as strings

This is not true anymore. Types are currently preserved.

[andrewkroh]

I removed this sentence from the docs. I didn't see your comment prior to asking you the question on Slack.

[ruflin]

@urso About tags vs fields: I was thinking the same first but I get the feeling people use them differently. I would keep both if it doesn't add much complexity.

[ruflin]

@andrewkroh

• There seems to be an issue on windows: https://ci.appveyor.com/project/elastic-beats/beats/build/1568/job/ls2h81bajqmoaghk
• I didn't manage to reproduce the race condition from filebeat locally yet: http://build-eu-00.elastic.co/job/Beats-PR/769/console

[andrewkroh]

We could do away with tags since you could implement them with fields. But you couldn't merge the "global" and "local" tags if you used fields to implement tags yourself.

[andrewkroh]

What happens if inside a prospector fields_under_root:true is set and in the shipper fields_under_root:false?

The prospector fields will be added to the root of the document and the shipper fields will be under the fields key.

There seems to be an issue on windows: https://ci.appveyor.com/project/elastic-beats/beats/build/1568/job/ls2h81bajqmoaghk

This should be fixed now. It was due to scalars not being converted to strings under ucfg. The docs have been updated to reflect this change in behavior and the test fixed.

[ruflin]

@andrewkroh Interesting about the fields_under_root. I like it.

[ruflin]

LGTM. @andrewkroh Can you rebase?

[ruflin]

@andrewkroh Seems like the old comment disappeared. The main reason I was thinking about logging is for debugging reason in case we get the info that some fields disappear. Lets leave it out for now and discuss it in case we hit such a case.

[andrewkroh]

It's rebased. Jenkins is failing because of a docker problem.

[danielmotaleite]

Any change of back-porting this to the current topbeat and packetbeat releases? i don't want to upgrade live servers with nightly builds, but i need this custom fields to be able to proper filter things on kibana.

[andrewkroh]

This feature will be included in the upcoming 1.2.0 5.0 release.

[andrewkroh]

I amended my previous comment. I was thinking of environment variable replacement (which is in 1.2). The custom fields feature is in 5.0.

[PauliniMrtns]

Great work,
It would be great if it could be expanded to other beats as well. I opened an issue regarding Metricbeat for instance, where I need to spin-off some additional fields based on existing fields that already exist using metricbeat.

Thanks!

[andrewkroh]

Every Beat has support for fields, fields_under_root, and tags. And most support setting them at the module level too. Checkout the documentation for Metricbeat:

• https://www.elastic.co/guide/en/beats/metricbeat/6.2/configuration-general-options.html#libbeat-configuration-fields
• https://www.elastic.co/guide/en/beats/metricbeat/6.2/configuration-metricbeat.html#_literal_fields_literal

[PauliniMrtns]

Yes but this fields are static right? You define them at the metricbeat.yml if I'm not mistaken. Is there a way to make them variable according to another field pulled from a module? For instance vsphere.virtualmachine.name ?

Thank you!

[andrewkroh]

These fields are static. You could mutate the event in Logstash.

[mehak1bharagava]

@andrewkroh the documentation for adding tags isnt for 7.4 version anywhere. There are too many older versions of addings tags/fields and could you please tell how it is in 7.4 version? Will it be something like this-
filebeat.inputs:
- paths:
- Xxxxxxx\xxxxxxx\logs\dispatcher-scheduler.log
input_type: log
fields:
dispatcher: true
fields_under_root: true

This would be the way to tag each log file with its own tag and then in logstash create an index for this tag? Thanks, I have looked at discussion forum for ES but all are for older versions.

[andrewkroh]

The documentation for tags, fields, and fields_under_root can be found here. Also note that there are processors now for this -- add_fields and add_tags. The processors allow for a condition to be attached.

[mehak1bharagava]

The documentation for tags, fields, and fields_under_root can be found here. Also note that there are processors now for this -- add_fields and add_tags. The processors allow for a condition to be attached.

thank you so much, but has it been updated for logstash as well? From the add_field example, will index be formed in logstash too? For something like this-
filter {
if[type] =="DispatcherApp"{
grok {
match => {"message" => "%{COMBINEDAPACHELOG}"}
} }}
output {
if [@metadata][beat] == "filebeat"{
elasticsearch {
hosts => ["http://localhost:9200"]
sniffing => true
manage_template => false
index => "dispatcher-%{+YYYY.MM.dd}"

}
}