From 46412a62de48aba620ffda9e2a1ea07a48c6961b Mon Sep 17 00:00:00 2001
From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Date: Mon, 21 May 2018 09:58:34 +0100
Subject: [PATCH] Strip underscores from journalbeat fields

Elasticsearch does not index fields starting with underscore,
they are reserved for internal use.

Change-Id: I3575f6ba0628c5ff4125910e34185a4d1526aeb9
---
 elk_metrics_6x/templates/journalbeat.yml.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/elk_metrics_6x/templates/journalbeat.yml.j2 b/elk_metrics_6x/templates/journalbeat.yml.j2
index fa21506c..2164acaf 100644
--- a/elk_metrics_6x/templates/journalbeat.yml.j2
+++ b/elk_metrics_6x/templates/journalbeat.yml.j2
@@ -37,7 +37,7 @@ journalbeat:
 
   # Lowercase and remove leading underscores, e.g. "_MESSAGE" -> "message"
   # (defaults to false)
-  #clean_field_names: false
+  clean_field_names: true
 
   # All journal entries are strings by default. You can try to convert them to numbers.
   # (defaults to false)