Step 3: Loading the Index Template in Elasticsearch

edit

Step 3: Loading the Index Template in Elasticsearch

edit

In Elasticsearch, index templates are used to define settings and mappings that determine how fields should be analyzed.

The recommended index template file for Packetbeat is installed by the Packetbeat packages. If you accept the default configuration for template loading in the packetbeat.yml config file, Packetbeat loads the template automatically after successfully connecting to Elasticsearch. If the template already exists, it’s not overwritten unless you configure Packetbeat to do so.

If you want to disable automatic template loading, or you want to load your own template, you can change the settings for template loading in the Packetbeat configuration file. If you choose to disable automatic template loading, you need to load the template manually. For more information, see:

Configuring Template Loading

edit

By default, Packetbeat automatically loads the recommended template file, packetbeat.template.json, if Elasticsearch output is enabled. You can configure packetbeat to load a different template by adjusting the template.name and template.path options in packetbeat.yml file:

output.elasticsearch:
  hosts: ["localhost:9200"]
  template.name: "packetbeat"
  template.path: "packetbeat.template.json"
  template.overwrite: false

By default, if a template already exists in the index, it is not overwritten. To overwrite an existing template, set template.overwrite: true in the configuration file.

To disable automatic template loading, comment out the template part under the Elasticsearch output.

The options for auto loading the template are not supported if you are using the Logstash output.

Loading the Template Manually

edit

If you disable automatic template loading, you need to run the following command to load the template:

deb or rpm:

curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_template/packetbeat' -d@/etc/packetbeat/packetbeat.template.json

mac:

cd packetbeat-5.4.3-darwin-x86_64
curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_template/packetbeat' -d@packetbeat.template.json

docker:

docker run --rm docker.elastic.co/beats/packetbeat:5.4.3 curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_template/packetbeat' -d@packetbeat.template.json

win:

PS C:\Program Files\Packetbeat> Invoke-WebRequest -Method Put -InFile packetbeat.template.json -Uri  http://localhost:9200/_template/packetbeat?pretty -ContentType application/json

where localhost:9200 is the IP and port where Elasticsearch is listening.

If you’ve already used Packetbeat to index data into Elasticsearch, the index may contain old documents. After you load the index template, you can delete the old documents from packetbeat-* to force Kibana to look at the newest documents. Use this command:

curl -XDELETE 'http://localhost:9200/packetbeat-*'