What's the difference between _type and type in elasticsearch from filebeat?
Looking the data from the query:
Looks like, the _type is the doc type from index, and type is just a field of my source data. If it is, why does filebeat set document_type to be type instead of _type?
I assume this is 5.5.0, right?
This is a preparation for Elasticsearch 6.0, which will only use a single _type per index called doc (though this can be changed through a configuration flag); Elasticsearch 7.0 will completely remove _type. So the value has been moved to the custom type field.
The pull request for this change is https://github.com/elastic/beats/pull/3757, which also links to the relevant Elasticsearch issue.
