[Filebeat] List of text fields to be converted

filebeat/module/elasticsearch/slowlog/_meta/fields.yml

@@ -10,14 +10,16 @@
   - name: took
     description: "Time it took to execute the query"
     example: "300ms"
-    type: text
+    # Should we extrac that nicer?
+    type: keyword
   - name: types
     description: "Types"
     example: ""
     type: keyword
   - name: stats
     description: "Statistics"
     example: ""
+    # What does this exactly contain, do we need text?
     type: text
   - name: search_type
     description: "Search type"
@@ -26,10 +28,12 @@
   - name: source_query
     description: "Slow query"
     example: "{\"query\":{\"match_all\":{\"boost\":1.0}}}"
+    # Do we need text?
     type: text
   - name: extra_source
     description: "Extra source information"
     example: ""
+    # Do we need text?
     type: text
   - name: total_hits
     description: "Total hits"

filebeat/module/haproxy/_meta/fields.yml

@@ -50,17 +50,20 @@
 
         - name: error_message
           description: Error message logged by HAProxy in case of error.
+          # Text needed?
+          # Should it map to ECS?
           type: text
 
         - name: source
-          type: text
+          # What kind of source is this?
+          type: keyword
           description: The HAProxy source of the log
 
         - name: termination_state
           description: Condition the session was in when the session ended.
 
         - name: mode
-          type: text
+          type: keyword
           description: mode that the frontend is operating (TCP or HTTP)
 
         - name: connections

filebeat/module/haproxy/log/_meta/fields.yml

@@ -14,6 +14,7 @@
     - name: captured_headers
       description: >
         List of headers captured in the response due to the presence of the "capture response header" statement in the frontend.
+      # Do we need text?
       type: text
 
     - name: status_code
@@ -32,10 +33,12 @@
     - name: captured_headers
       description: >
         List of headers captured in the request due to the presence of the "capture request header" statement in the frontend.
+      # Do we need text? does this even have be be indexed?
       type: text
 
     - name: raw_request_line
       description: Complete HTTP request line, including the method, request and HTTP version string.
+      # keyword? sounds like a .original field but none is matching
       type: text
 
     - name: time_wait_without_data_ms

filebeat/module/kafka/log/_meta/fields.yml

@@ -17,7 +17,8 @@
       description: >
         Component the log is coming from.
     - name: class
-      type: text
+      # Is there a reaons this would not be an exact search?
+      type: keyword
       description: >
         Java class the log is coming from.
     - name: trace
@@ -30,10 +31,12 @@
           description: >
             Java class the trace is coming from.
         - name: message
+          # Should this be mapped to `message` instead`? How is it different from the above message?
           type: text
           description: >
               Message part of the trace.
         - name: full
+          # Sounds like potentially worth as text, not sure where this fits
           type: text
           description: >
               The full trace in the log line.

filebeat/module/logstash/log/_meta/fields.yml

@@ -9,7 +9,7 @@
       description: >
         The module or class where the event originate.
     - name: thread
-      type: text
+      type: keyword
       description: >
         Information about the running thread where the log originate.
     - name: log_event

filebeat/module/logstash/slowlog/_meta/fields.yml

@@ -4,6 +4,7 @@
     slowlog
   fields:
     - name: message
+      # This should go into log.original? Or is it `message`?
       type: text
       description: >
         Contains the un-parsed log message
@@ -12,10 +13,12 @@
       description: >
         The module or class where the event originate.
     - name: thread
+      # Keyword?
       type: text
       description: >
         Information about the running thread where the log originate.
     - name: event
+      # event.original? or log.original?
       type: text
       description: >
         Raw dump of the original event
@@ -32,6 +35,7 @@
       description: >
         Execution time for the plugin in milliseconds.
     - name: plugin_params
+      # Keyword?
       type: text
       description: >
         String value of the plugin configuration

filebeat/module/traefik/access/_meta/fields.yml

@@ -12,10 +12,12 @@
       description: >
         The number of requests
     - name: frontend_name
+      # Keyword?
       type: text
       description: >
         The name of the frontend used
     - name: backend_url
+      # Keyword? Or map to url.original
       type: text
       description:
         The url of the backend where request is forwarded