Aggregate by keyword in kibana 5.6

yishain11 · November 27, 2017, 9:41am

Hi everyone!
I have the following setup: filebeat (collects log file) > logdash (filters JSON) > elasticsearch > kibana.
In kibana, I mapped the data as follows:
get filebeat-2017*/_mapping/log results in:

.
.
.
"commandCommitScn": {
            "type": "long",
            "fields": {
              "raw": {
                "type": "keyword"
              }
            }
          },
          "commandScn": {
            "type": "long",
            "fields": {
              "raw": {
                "type": "keyword"
              }
            }
          },
          "commandSequence": {
            "type": "long",
            "fields": {
              "raw": {
                "type": "keyword"
              }
            }
          },
          "commandTimestamp": {
            "type": "date",
            "fields": {
              "raw": {
                "type": "keyword"
              }
            }
          },
          "commandType": {
            "type": "keyword",
            "fields": {
              "raw": {
                "type": "keyword"
              }
            }
          },
          "error": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "fieldChanged": {
            "type": "keyword",
            "fields": {
              "raw": {
                "type": "keyword"
              }
            }
          },
          "fieldId": {
            "type": "keyword",
            "fields": {
              "raw": {
                "type": "keyword"
              }
            }
          },
          "fieldType": {
            "type": "keyword",
            "fields": {
              "raw": {
                "type": "keyword"
              }
            }
          },
          "fieldValue": {
            "type": "keyword",
            "fields": {
              "raw": {
                "type": "keyword"
              }
            }
          },
          "fileset": {
            "properties": {
              "module": {
                "type": "keyword",
                "ignore_above": 1024
              },
              "name": {
                "type": "keyword",
                "ignore_above": 1024
              }
            }
...

as you can see, the terms I want to aggragate by are defined as keywords in the mapping.
When I use Discover in kibana, the message field is:

...
"fieldType": "VARCHAR2",
"fieldValue": "85928 CEDEX 9"
"fieldType": "DATE",
...

So it seems like kibana understands that this terms are not plain text, but a terms that need to be read by themselves.
The problem is that I can't find an option in the kibana aggregation in Visualize, that will anable me to aggregate by this fields (more specificly - by there results, for example: how many "fieldType" are dates and how many are other types).
How can I aggregate by the keywords I want?

This is the logstash confic I use:

input {
  beats {
    port => 5044
  }
}
filter{
   split{
     field => "changedFieldList"
        }
   json{
        source => "message"
        target => "parsedJson"
      }
      }
output {
elasticsearch {
hosts => ["http://127.0.0.1:9200"]
 index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

And the file I insert is something like this:

{
	"ChangeInfo": "Archive Log Set archiveLogSet.108058603.108058399 Info:Thread# Sequence# FirstScn LastScn ",
	"documentsList": [{
		"commandScn": "108058599",
		"commandCommitScn": "108058600",
		"commandSequence": "0",
		"commandType": "UPDATE",
		"commandTimestamp": "2017-08-22 14:37:53+03:000",
		"objectDBName": "DEV2",
		"objectSchemaName": "YISHAIN",
		"objectId": "CUSTOMERS",
		"changedFieldsList": [{
			"fieldId": "CUSTOMER_ID",
			"fieldType": "NUMBER",
			"fieldValue": "17",
			"fieldChanged": "N"
		}, {
			"fieldId": "GENDER",
			"fieldType": "VARCHAR2",
			"fieldValue": "Male",
			"fieldChanged": "N"
		}, {
			"fieldId": "DATE_OF_BIRTH",
			"fieldType": "DATE",
			"fieldValue": "1968-04-01 00:00:00+03:000",
			"fieldChanged": "N"
		}, {
			"fieldId": "CREDIT_LIMIT",
			"fieldType": "NUMBER",
			"fieldValue": "14161",
			"fieldChanged": "N"
		}, {
			"fieldId": "INCOME_LEVEL",
			"fieldType": "NUMBER",
			"fieldValue": "67035",
			"fieldChanged": "N"
		}, {
			"fieldId": "COMMENTS",
			"fieldType": "VARCHAR2",
			"fieldValue": "stuff",
			"fieldChanged": "N"
		}, {
			"fieldId": "LAST_UPDTAE",
			"fieldType": "DATE",
			"fieldValue": "2016-01-12 00:00:00+03:000",
			"fieldChanged": "N"
		}],
		"conditionFieldsList": [{
			"fieldId": "CUSTOMER_ID",
			"fieldType": "NUMBER",
			"fieldValue": "17"
		}, {
			"fieldId": "CUSTOMER_FIRST_NAME",
			"fieldType": "VARCHAR2",
			"fieldValue": "Daniel"
		}, {
			"fieldId": "CUSTOMER_LAST_NAME",
			"fieldType": "VARCHAR2",
			"fieldValue": "Washington"
		}, {
			"fieldId": "CUSTOMER_COUNTRY",
			"fieldType": "VARCHAR2",
			"fieldValue": "France"
		}, {
			"fieldId": "CUSTOMER_CITY",
			"fieldType": "VARCHAR2",
			"fieldValue": "La Roche-sur-Yon"
		}, {
			"fieldId": "CUSTOMER_STREET",
			"fieldType": "VARCHAR2",
			"fieldValue": "5 Maple Pass"
		}, {
			"fieldId": "CUSTOMER_ZIPCODE",
			"fieldType": "VARCHAR2",
			"fieldValue": "85928 CEDEX 9"
		}, {
			"fieldId": "PHONE_NUMBER",
			"fieldType": "VARCHAR2",
			"fieldValue": "33-(414)618-3273"
		}, {
			"fieldId": "EMAIL",
			"fieldType": "VARCHAR2",
			"fieldValue": "dwashingtong@tiny.cc"
		}, {
			"fieldId": "GENDER",
			"fieldType": "VARCHAR2",
			"fieldValue": "Male"
		}, {
			"fieldId": "DATE_OF_BIRTH",
			"fieldType": "DATE",
			"fieldValue": "1968-04-01 00:00:00+03:000"
		}, {
			"fieldId": "CREDIT_LIMIT",
			"fieldType": "NUMBER",
			"fieldValue": "14161"
		}, {
			"fieldId": "INCOME_LEVEL",
			"fieldType": "NUMBER",
			"fieldValue": "67035"
		}, {
			"fieldId": "COMMENTS",
			"fieldType": "VARCHAR2",
			"fieldValue": "stuff"
		}, {
			"fieldId": "LAST_UPDTAE",
			"fieldType": "DATE",
			"fieldValue": "2016-01-12 00:00:00+03:000"
		}]
	}]
}

What do I need to do in order to aggregate and visualize by the terms in the JSON file?

Thanks!

tylersmalley · November 28, 2017, 5:56am

In Kibana under your index pattern in Management do you see that the fields are aggregatable? What if you click the refresh field list button?

yishain11 · November 28, 2017, 7:39am

After I refreshed the index pattern like you ask, I see my field in there, and I see that they are aggregateable.
The problem is that in Discover I still can't aggregate by them, even when I search for them, and in Visualize they don't apear ether.

EDIT:
I was able to find these fields in the Discover page, but they seem to be empty, even if they do appear under the "message" field. Why is this happening?

yishain11 · December 5, 2017, 1:15pm

anyone?

system · January 2, 2018, 1:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Type keyword in mapping but not able to aggregate on field kibana Kibana	3	1201	March 15, 2017
Keyword aggregation returns empty Elasticsearch	8	2438	January 3, 2018
Bucket aggregation Terms Kibana	2	244	April 1, 2020
Strange Logstash index fields in visualization Kibana	5	827	October 18, 2017
How to turn fields in a text file into terms in kibana Logstash	2	478	December 21, 2017

Aggregate by keyword in kibana 5.6

Related topics