I have different system logs with missing field that depending of user action.
Example:
login
{@timestamp, user:A, src:10.10.10.10, action:login, dst:20.20.20.20}
logout
{@timestamp, user:A, action:logout, dst:20.20.20.20}
When I try to create a visualize table with kibana, if I split my data in:
@timestamp,user,src,action,dst only first log login appears because the second log don't have any "src" field.
How can I show all logs without change data structure.
I use an old kibana 4.
I am not sure how to do this in Kibana 4, but in newer version of kibana, you can enable "show missing values". This will create a bucket for documents that are missing src so they are displayed in the table
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
