WARNING: Version 1.2 of Filebeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

Elastic Docs Filebeat Reference [1.2] Getting Started With Filebeat
« Step 3 (Optional): Configuring Filebeat to Use Logstash Step 5: Starting Filebeat »

Step 4: Loading the Index Template in Elasticsearchedit

Before starting Filebeat, you need to load the index template, which lets Elasticsearch know which fields should be analyzed in which way.

The recommended template file is installed by the Filebeat packages. You can either configure Filebeat to load the template automatically, or you can run a shell command to load the template:

Configuring Filebeat to Load the Templateedit

To configure Filebeat to load the template, you must enable the elasticsearch output. In the Filebeat configuration file, uncomment the template part under elasticsearch output. By default the template is named filebeat. Adjust the path to your template file.

output:
  elasticsearch:
    hosts: ["localhost:9200"]

    # A template is used to set the mapping in Elasticsearch
    # By default template loading is disabled and no template is loaded.
    # These settings can be adjusted to load your own template or overwrite existing ones
    template:

      # Template name. By default the template name is filebeat.
      #name: "filebeat"

      # Path to template file
      path: "filebeat.template.json"

      # Overwrite existing template
      #overwrite: false

The template is loaded when you start Filebeat. By default, if a template already exists in the index, it is not overwritten. To overwrite an existing template, set overwrite: true in the configuration file.

Running a Shell Command to Load the Templateedit

You can load the template by running the following command:

deb or rpm:

curl -XPUT 'http://localhost:9200/_template/filebeat' -d@/etc/filebeat/filebeat.template.json

mac:

cd filebeat-1.2.3-darwin
curl -XPUT 'http://localhost:9200/_template/filebeat' -d@filebeat.template.json

win:

PS C:\Program Files\Filebeat> Invoke-WebRequest -Method Put -InFile filebeat.template.json -Uri http://localhost:9200/_template/filebeat?pretty

where localhost:9200 is the IP and port where Elasticsearch is listening.

If you’ve already used Filebeat to index data into Elasticsearch, the index may contain old documents. After you load the index template, you can delete the old documents from filebeat-* to force Kibana to look at the newest documents. Use this command:

curl -XDELETE 'http://localhost:9200/filebeat-*'
« Step 3 (Optional): Configuring Filebeat to Use Logstash Step 5: Starting Filebeat »