[Filebeat] Changes to text fields in logstash module (#10417)

This PR is an offshoot of conversations and decisions made in #10372 w.r.t `text` fields, but scoped to the `logstash` module.

CHANGELOG.next.asciidoc

@@ -65,6 +65,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Change type of field backend_url and frontend_name in traefik.access metricset to type keyword. {pull}10401[10401]
 - Ingesting Elasticsearch audit logs is only supported with Elasticsearch 6.5.0 and above {pull}10352[10352]
 - Migrate Elasticsearch audit logs fields to ECS {pull}10352[10352]
+- Several text fields in the Logstash module are now indexed as `keyword` fields with `text` multi-fields (ECS). {pull}10417[10417]
 
 *Heartbeat*
 

filebeat/docs/fields.asciidoc

@@ -6845,11 +6845,18 @@ The module or class where the event originate.
 *`logstash.log.thread`*::
 +
 --
-type: text
+type: keyword
 
 Information about the running thread where the log originate.
 
 
+*`logstash.log.thread.text`*::
++
+--
+type: text
+
+--
+
 --
 
 *`logstash.log.log_event`*::
@@ -6887,44 +6894,48 @@ slowlog
 
 
 
-*`logstash.slowlog.message`*::
+*`logstash.slowlog.module`*::
 +
 --
-type: text
+type: keyword
 
-Contains the un-parsed log message
+The module or class where the event originate.
 
 
 --
 
-*`logstash.slowlog.module`*::
+*`logstash.slowlog.thread`*::
 +
 --
 type: keyword
 
-The module or class where the event originate.
-
+Information about the running thread where the log originate.
 
---
 
-*`logstash.slowlog.thread`*::
+*`logstash.slowlog.thread.text`*::
 +
 --
 type: text
 
-Information about the running thread where the log originate.
-
+--
 
 --
 
 *`logstash.slowlog.event`*::
 +
 --
-type: text
+type: keyword
 
 Raw dump of the original event
 
 
+*`logstash.slowlog.event.text`*::
++
+--
+type: text
+
+--
+
 --
 
 *`logstash.slowlog.plugin_name`*::
@@ -6960,11 +6971,18 @@ Execution time for the plugin in milliseconds.
 *`logstash.slowlog.plugin_params`*::
 +
 --
-type: text
+type: keyword
 
 String value of the plugin configuration
 
 
+*`logstash.slowlog.plugin_params.text`*::
++
+--
+type: text
+
+--
+
 --
 
 *`logstash.slowlog.plugin_params_object`*::

filebeat/module/logstash/log/_meta/fields.yml

@@ -9,9 +9,12 @@
       description: >
         The module or class where the event originate.
     - name: thread
-      type: text
+      type: keyword
       description: >
         Information about the running thread where the log originate.
+      multi_fields:
+        - name: text
+          type: text
     - name: log_event
       type: object
       description: >

filebeat/module/logstash/slowlog/_meta/fields.yml

@@ -3,22 +3,24 @@
   description: >
     slowlog
   fields:
-    - name: message
-      type: text
-      description: >
-        Contains the un-parsed log message
     - name: module
       type: keyword
       description: >
         The module or class where the event originate.
     - name: thread
-      type: text
+      type: keyword
       description: >
         Information about the running thread where the log originate.
+      multi_fields:
+        - name: text
+          type: text
     - name: event
-      type: text
+      type: keyword
       description: >
         Raw dump of the original event
+      multi_fields:
+        - name: text
+          type: text
     - name: plugin_name
       type: keyword
       description: >
@@ -32,14 +34,16 @@
       description: >
         Execution time for the plugin in milliseconds.
     - name: plugin_params
-      type: text
+      type: keyword
       description: >
         String value of the plugin configuration
+      multi_fields:
+        - name: text
+          type: text
     - name: plugin_params_object
       type: object
       description: >
         key -> value of the configuration used by the plugin.
-
     - name: level
       type: alias
       path: log.level