docs: update filebeat instructions (#72)

bmorelli25 · web-flow · commit 79582773751e · 2023-01-27T15:15:20.000-08:00
diff --git a/docs/setup.asciidoc b/docs/setup.asciidoc
@@ -25,7 +25,6 @@
 // === Step 3: Configure Filebeat
 
 // tag::configure-filebeat[]
-include::./tab-widgets/code.asciidoc[]
 include::./tab-widgets/filebeat-widget.asciidoc[]
 
 For more information, see the {filebeat-ref}/configuring-howto-filebeat.html[Filebeat reference].
diff --git a/docs/tab-widgets/code.asciidoc b/docs/tab-widgets/code.asciidoc
diff --git a/docs/tab-widgets/filebeat.asciidoc b/docs/tab-widgets/filebeat.asciidoc
@@ -9,21 +9,25 @@ For Filebeat 7.16+
 .filebeat.yaml
 ----
 filebeat.inputs:
-- type: filestream
+- type: filestream <1>
   paths: /path/to/logs.json
   parsers:
     - ndjson:
-        keys_under_root: true
-        overwrite_keys: true
-        add_error_key: true
-        expand_keys: true
+      overwrite_keys: true <2>
+      add_error_key: true <3>
+      expand_keys: true <4>
 
-processors:
+processors: <5>
   - add_host_metadata: ~
   - add_cloud_metadata: ~
   - add_docker_metadata: ~
   - add_kubernetes_metadata: ~
 ----
+<1> Use the filestream input to read lines from active log files.
+<2> Values from the decoded JSON object overwrite the fields that {filebeat} normally adds (type, source, offset, etc.) in case of conflicts.
+<3> {filebeat} adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors.
+<4> {filebeat} will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure.
+<5> Processors enhance your data. See {filebeat-ref}/filtering-and-enhancing-data.html[processors] to learn more.
 
 For Filebeat < 7.16
 
@@ -57,11 +61,13 @@ processors:
 [source,yaml]
 ----
 annotations:
-  co.elastic.logs/json.keys_under_root: true
-  co.elastic.logs/json.overwrite_keys: true
-  co.elastic.logs/json.add_error_key: true
-  co.elastic.logs/json.expand_keys: true
+  co.elastic.logs/json.overwrite_keys: true <1>
+  co.elastic.logs/json.add_error_key: true <2>
+  co.elastic.logs/json.expand_keys: true <3>
 ----
+<1> Values from the decoded JSON object overwrite the fields that {filebeat} normally adds (type, source, offset, etc.) in case of conflicts.
+<2> {filebeat} adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors.
+<3> {filebeat} will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure.
 // end::kubernetes[]
 
 
@@ -76,10 +82,11 @@ annotations:
 .docker-compose.yml
 ----
 labels:
-  co.elastic.logs/json.keys_under_root: true
-  co.elastic.logs/json.overwrite_keys: true
-  co.elastic.logs/json.add_error_key: true
-  co.elastic.logs/json.expand_keys: true
+  co.elastic.logs/json.overwrite_keys: true <1>
+  co.elastic.logs/json.add_error_key: true <2>
+  co.elastic.logs/json.expand_keys: true <3>
 ----
+<1> Values from the decoded JSON object overwrite the fields that {filebeat} normally adds (type, source, offset, etc.) in case of conflicts.
+<2> {filebeat} adds an "error.message" and "error.type: json" key in case of JSON unmarshalling errors.
+<3> {filebeat} will recursively de-dot keys in the decoded JSON, and expand them into a hierarchical object structure.
 // end::docker[]
-
