[Filebeat] Add experimental to journald input docs, rename two fields (…

…#28065) (#28160)

* Add the experimental tag to journald input

Mark the docs as experimental to match the code.

Also fix the regexp condition in the example config.

* Fix journald field mappings

There was a typo in the word `capabilities` for `journald.process.capabilities`.

And the mapping for syslog facility should have been to `log.syslog.facility.code` because the
value is a number rather than a name.

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>

CHANGELOG.next.asciidoc

@@ -49,7 +49,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Journalbeat*
 
 - Improve parsing of syslog.pid in journalbeat to strip the username when present {pull}16116[16116]
-
+- Rename field `journald.process.capabilites` to `journald.process.capabilities` to fix spelling. {pull}28065[28065]
+- Rename field `log.syslog.facility.name` to `log.syslog.facility.code` because the value is numeric rather than the facility name. {pull}28065[28065]
 
 *Metricbeat*
 

filebeat/docs/inputs/input-journald.asciidoc

@@ -7,6 +7,8 @@
 <titleabbrev>journald</titleabbrev>
 ++++
 
+experimental[]
+
 https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html[`journald`]
 is a system service that collects and stores logging data. The `journald` input
 reads this log data and the metadata associated with it.
@@ -50,7 +52,7 @@ possible.
     - _TRANSPORT=kernel
   processors:
     - drop_event:
-        when.not.regex.message: '^iptables'
+        when.not.regexp.message: '^iptables'
 ----
 
 Each example adds the `id` for the input to ensure the cursor is persisted to

journalbeat/_meta/fields.common.yml

@@ -212,10 +212,10 @@
               example: 1
               description: >
                 The ID of the user which runs the process.
-            - name: capabilites
+            - name: capabilities
               required: false
               description: >
-                The effective capabilites of the process.
+                The effective capabilities of the process.
     - name: systemd
       type: group
       description: >

journalbeat/docs/fields.asciidoc

@@ -624,10 +624,10 @@ required: False
 
 --
 
-*`journald.process.capabilites`*::
+*`journald.process.capabilities`*::
 +
 --
-The effective capabilites of the process.
+The effective capabilities of the process.
 
 
 required: False

journalbeat/pkg/journalfield/default.go

@@ -48,7 +48,7 @@ var journaldEventFields = FieldConversion{
 	sdjournal.SD_JOURNAL_FIELD_AUDIT_LOGINUID:    integer("journald.audit.login_uid"),
 	sdjournal.SD_JOURNAL_FIELD_AUDIT_SESSION:     text("journald.audit.session"),
 	sdjournal.SD_JOURNAL_FIELD_BOOT_ID:           text("journald.host.boot_id"),
-	sdjournal.SD_JOURNAL_FIELD_CAP_EFFECTIVE:     text("journald.process.capabilites"),
+	sdjournal.SD_JOURNAL_FIELD_CAP_EFFECTIVE:     text("journald.process.capabilities"),
 	sdjournal.SD_JOURNAL_FIELD_CMDLINE:           text("journald.process.command_line"),
 	sdjournal.SD_JOURNAL_FIELD_CODE_FILE:         text("journald.code.file"),
 	sdjournal.SD_JOURNAL_FIELD_CODE_FUNC:         text("journald.code.func"),
@@ -61,7 +61,7 @@ var journaldEventFields = FieldConversion{
 	sdjournal.SD_JOURNAL_FIELD_MESSAGE:           text("message"),
 	sdjournal.SD_JOURNAL_FIELD_PID:               integer("journald.pid"),
 	sdjournal.SD_JOURNAL_FIELD_PRIORITY:          integer("syslog.priority", "log.syslog.priority"),
-	sdjournal.SD_JOURNAL_FIELD_SYSLOG_FACILITY:   integer("syslog.facility", "log.syslog.facility.name"),
+	sdjournal.SD_JOURNAL_FIELD_SYSLOG_FACILITY:   integer("syslog.facility", "log.syslog.facility.code"),
 	sdjournal.SD_JOURNAL_FIELD_SYSLOG_IDENTIFIER: text("syslog.identifier"),
 	sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID:        integer("syslog.pid"),
 	sdjournal.SD_JOURNAL_FIELD_SYSTEMD_CGROUP:    text("systemd.cgroup"),