shipper field is analysed (suggestion)

[jalberto]

current default configuration index shipper field as indexed causing host names like foo-bar-1 behave funny on visualizations.

I suggest set shipper as not_analysed so kibana can aggregate data properly

(probably must applied to other fields that use host as value)

[monicasarbu]

You need to load the template available under https://github.com/elastic/packetbeat/blob/master/etc/packetbeat.template.json in order to set shipper and other fields to "not_analysed". Please have a look at the documentation: https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-getting-started.html

The template is also available in the Packetbeat package. So, you just need to run the following command:

deb or rpm:

curl -XPUT 'http://localhost:9200/_template/packetbeat' -d@/etc/packetbeat/packetbeat.template.json

mac:

cd packetbeat-1.0.0-beta3-darwin
curl -XPUT 'http://localhost:9200/_template/packetbeat' -d@packetbeat.template.json

[jalberto]

I did it afterwards, but explicitly defined shipper as not_analyzed

Maybe is not clear enough in the documentation, it looks like an optional step not a necessary one

Thanks for your answer!