0

I have a small question regarding filebeat config. I have done the following changes:

from:

processors:
#- add_host_metadata: ~

to:

processors:
- add_host_metadata: ~

But this adds the fields only to the logs which are new and the old logs do not have host metadata fields. Is there any way in which we can achieve that. SO advised to delete registry but then the user was not able to get the logs (Resend old logs from filebeat to logstash) Is this even advisable?

harry123
  • 760
  • 1
  • 7
  • 22
  • Deleting the registry file will simply tell Filebeat to restart reading all your log files from the beginning and reingest everything. That's perfectly fine if that's what you want to do. – Val Jan 06 '21 at 04:49
  • @Val I am not sure if that will add host metadata based on the NEW filebeat.yml to the old logs as well. Can you please advise. – harry123 Jan 06 '21 at 05:20
  • By deleting the registry, Filebeat will start processing all the log files again provided you still have them on disk of course (i.e. they have not been rotated). By reprocessing all old files, the old log lines will be amended with host metadata. Another way of doing it is to updte the old log files directly in ES using the `_update_by_query` endpoint – Val Jan 06 '21 at 05:54

0 Answers0