-
Notifications
You must be signed in to change notification settings - Fork 166
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
(cherry picked from commit 03c32c3) Co-authored-by: Mike Birnstiehl <[email protected]>
- Loading branch information
1 parent
8545be7
commit d8c6422
Showing
3 changed files
with
64 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
[[add-logs-service-name]] | ||
= Add a service name to logs | ||
|
||
Adding the `service.name` field to your logs associates them with the services that generate them. | ||
You can use this field to view and manage logs for distributed services located on multiple hosts. | ||
If you've enabled Elastic's new experience, adding a service name also associates your logs with a service in the {kibana-ref}/services.html[Services inventory]. | ||
|
||
To add a service name to your logs, either: | ||
|
||
* Use the `add_fields` processor through an integration, {agent} configuration, or {filebeat} configuration. | ||
* Map an existing field from your data stream to the `service.name` field. | ||
|
||
[discrete] | ||
[[use-the-add-fields-processor-to-add-a-service-name]] | ||
== Use the add fields processor to add a service name | ||
|
||
For log data without a service name, use the {fleet-guide}/add_fields-processor.html[add_fields processor] to add the `service.name` field. | ||
You can add the processor in an integration's settings or in the {agent} or {filebeat} configuration. | ||
|
||
For example, adding the `add_fields` processor to the inputs section of a standalone {agent} or {filebeat} configuration would add `your_service_name` as the `service.name` field: | ||
|
||
[source,console] | ||
---- | ||
processors: | ||
- add_fields: | ||
target: service | ||
fields: | ||
name: your_service_name | ||
---- | ||
|
||
Adding the `add_fields` processor to an integration's settings would add `your_service_name` as the `service.name` field: | ||
|
||
[role="screenshot"] | ||
image::images/add-field-processor.png[Add the add_fields processor to an integration] | ||
|
||
For more on defining processors, refer to {fleet-guide}/elastic-agent-processor-configuration.html[define processors]. | ||
|
||
[discrete] | ||
[[map-an-existing-field-to-the-service-name-field]] | ||
== Map an existing field to the service name field | ||
|
||
For logs that with an existing field being used to represent the service name, map that field to the `service.name` field using the {ref}/field-alias.html[alias field type]. | ||
Follow these steps to update your mapping: | ||
|
||
. From the main {kib} menu, go to **Stack Management** → **Index Management** → **Index Templates**. | ||
. Search for the index template you want to update. | ||
. From the **Actions** menu for that template, select **Edit**. | ||
. Go to **Mappings**, and select **Add field**. | ||
. Under **Field type**, select **Alias** and add `service.name` to the **Field name**. | ||
. Under **Field path**, select the existing field you want to map to the service name. | ||
. Select **Add field**. | ||
|
||
For more ways to add a field to your mapping, refer to {ref}/explicit-mapping.html#add-field-mapping[add a field to an existing mapping]. | ||
|
||
[discrete] | ||
[[additional-ways-to-process-data]] | ||
== Additional ways to process data | ||
|
||
The {stack} provides additional ways to process your data: | ||
|
||
* **{ref}/ingest.html[Ingest pipelines]:** convert data to ECS, normalize field data, or enrich incoming data. | ||
* **{logstash-ref}/introduction.html[Logstash]:** enrich your data using input, output, and filter plugins. |