diff --git a/docs/en/observability/images/add-field-processor.png b/docs/en/observability/images/add-field-processor.png new file mode 100644 index 0000000000..fc580c22d3 Binary files /dev/null and b/docs/en/observability/images/add-field-processor.png differ diff --git a/docs/en/observability/index.asciidoc b/docs/en/observability/index.asciidoc index 0a2ce2f146..ab248fe921 100644 --- a/docs/en/observability/index.asciidoc +++ b/docs/en/observability/index.asciidoc @@ -59,6 +59,8 @@ include::configure-logs-sources.asciidoc[leveloffset=+3] include::logs-monitor-datasets.asciidoc[leveloffset=+2] +include::logs-add-service-name.asciidoc[leveloffset=+2] + include::logs-index-template.asciidoc[leveloffset=+2] include::logs-troubleshooting.asciidoc[leveloffset=+2] diff --git a/docs/en/observability/logs-add-service-name.asciidoc b/docs/en/observability/logs-add-service-name.asciidoc new file mode 100644 index 0000000000..657334f1ec --- /dev/null +++ b/docs/en/observability/logs-add-service-name.asciidoc @@ -0,0 +1,62 @@ +[[add-logs-service-name]] += Add a service name to logs + +Adding the `service.name` field to your logs associates them with the services that generate them. +You can use this field to view and manage logs for distributed services located on multiple hosts. +If you've enabled Elastic's new experience, adding a service name also associates your logs with a service in the {kibana-ref}/services.html[Services inventory]. + +To add a service name to your logs, either: + +* Use the `add_fields` processor through an integration, {agent} configuration, or {filebeat} configuration. +* Map an existing field from your data stream to the `service.name` field. + +[discrete] +[[use-the-add-fields-processor-to-add-a-service-name]] +== Use the add fields processor to add a service name + +For log data without a service name, use the {fleet-guide}/add_fields-processor.html[add_fields processor] to add the `service.name` field. +You can add the processor in an integration's settings or in the {agent} or {filebeat} configuration. + +For example, adding the `add_fields` processor to the inputs section of a standalone {agent} or {filebeat} configuration would add `your_service_name` as the `service.name` field: + +[source,console] +---- +processors: + - add_fields: + target: service + fields: + name: your_service_name +---- + +Adding the `add_fields` processor to an integration's settings would add `your_service_name` as the `service.name` field: + +[role="screenshot"] +image::images/add-field-processor.png[Add the add_fields processor to an integration] + +For more on defining processors, refer to {fleet-guide}/elastic-agent-processor-configuration.html[define processors]. + +[discrete] +[[map-an-existing-field-to-the-service-name-field]] +== Map an existing field to the service name field + +For logs that with an existing field being used to represent the service name, map that field to the `service.name` field using the {ref}/field-alias.html[alias field type]. +Follow these steps to update your mapping: + +. From the main {kib} menu, go to **Stack Management** → **Index Management** → **Index Templates**. +. Search for the index template you want to update. +. From the **Actions** menu for that template, select **Edit**. +. Go to **Mappings**, and select **Add field**. +. Under **Field type**, select **Alias** and add `service.name` to the **Field name**. +. Under **Field path**, select the existing field you want to map to the service name. +. Select **Add field**. + +For more ways to add a field to your mapping, refer to {ref}/explicit-mapping.html#add-field-mapping[add a field to an existing mapping]. + +[discrete] +[[additional-ways-to-process-data]] +== Additional ways to process data + +The {stack} provides additional ways to process your data: + +* **{ref}/ingest.html[Ingest pipelines]:** convert data to ECS, normalize field data, or enrich incoming data. +* **{logstash-ref}/introduction.html[Logstash]:** enrich your data using input, output, and filter plugins. \ No newline at end of file