From ca55708461b4e85cf3bcd125b79b9640b85ce3ca Mon Sep 17 00:00:00 2001 From: Francesco Gualazzi Date: Tue, 18 Jan 2022 11:12:00 +0100 Subject: [PATCH] Fix Filebeat dissect processor field tokenization in documentation (#29680) Signed-off-by: inge4pres (cherry picked from commit e1ca29dc7f2d64ef72829f886f09fc3114e76f26) --- libbeat/processors/dissect/docs/dissect.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libbeat/processors/dissect/docs/dissect.asciidoc b/libbeat/processors/dissect/docs/dissect.asciidoc index b3dcf240c7e5..a7a68a45c123 100644 --- a/libbeat/processors/dissect/docs/dissect.asciidoc +++ b/libbeat/processors/dissect/docs/dissect.asciidoc @@ -74,14 +74,14 @@ For this example, imagine that an application generates the following messages: "789 - App02 - Database is refreshing tables" ---- -Use the `dissect` processor to split each message into two fields, for example, +Use the `dissect` processor to split each message into three fields, for example, `service.pid`, `service.name` and `service.status`: [source,yaml] ---- processors: - dissect: - tokenizer: '"%{pid|integer} - %{service.name} - %{service.status}"' + tokenizer: '"%{service.pid|integer} - %{service.name} - %{service.status}"' field: "message" target_prefix: "" ---- @@ -98,7 +98,7 @@ This configuration produces fields like: ---- `service.name` is an ECS {ref}/keyword.html[keyword field], which means that you -can use it in {es} for filtering, sorting, and aggregations. +can use it in {es} for filtering, sorting, and aggregations. When possible, use ECS-compatible field names. For more information, see the {ecs-ref}/index.html[Elastic Common Schema] documentation.