Can't sort by column/field in Kabana

Elastic Stack Kibana
1

Hello, I'm currently implementing ELK on my environment to retrieve the logs and I got a problem.

In the discover tab, I can't sort a column. I can only sort by the @Timestamp.

image
image1582×130 24.2 KB

I would like to be able to sort by the column time or type. Here is my logstash.conf :

input {
  file {
    path => "/var/log/serverlogs/manager.*.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline {
	  pattern => "^\s"
	  what => "previous"
    }
    type => "manager"
  }
}

filter{
	if [type] == "manager" {
		grok{
			match => {"message" => [
				"%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} %{LOGLEVEL:log_level} %{GREEDYDATA:message_of_log}"
			]}
		}
	}
}
2

Can you post the mapping that you have for that index? sort will work depending on the field type. As far as I know you can sort on datetime, numeric and keyword fields. You can change the time field to be "numeric" in miliseconds and then set as "human readable" and "duration" type in the field formatter in Kibana. (that will be available in the Data Views menu)

3

Hi, thanks for your answer.

Here is the data views page :

image
image1587×530 38.6 KB

And here is the field that I need to modify but I can't :

image
image1563×658 79.5 KB

I got the mapping with this command in the console (but i'm not sure that this is the mapping of the index of this dataview, because I only have the index pattern as information) :

GET /logstash/_mapping

Here is the mapping :

{
  "logstash-2023.03.28-000001": {
    "mappings": {
      "dynamic_templates": [
        {
          "message_field": {
            "path_match": "message",
            "match_mapping_type": "string",
            "mapping": {
              "norms": false,
              "type": "text"
            }
          }
        },
        {
          "string_fields": {
            "match": "*",
            "match_mapping_type": "string",
            "mapping": {
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              },
              "norms": false,
              "type": "text"
            }
          }
        }
      ],
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "@version": {
          "type": "keyword"
        },
        "auth": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "bytes": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "client": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "client_ip": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "day": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "event": {
          "properties": {
            "original": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              },
              "norms": false
            }
          }
        },
        "geoip": {
          "dynamic": "true",
          "properties": {
            "ip": {
              "type": "ip"
            },
            "latitude": {
              "type": "half_float"
            },
            "location": {
              "type": "geo_point"
            },
            "longitude": {
              "type": "half_float"
            }
          }
        },
        "host": {
          "properties": {
            "name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              },
              "norms": false
            }
          }
        },
        "http_version": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "httpversion": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "ident": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "log": {
          "properties": {
            "file": {
              "properties": {
                "path": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "type": "keyword",
                      "ignore_above": 256
                    }
                  },
                  "norms": false
                }
              }
            }
          }
        },
        "logLevel": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "message": {
          "type": "text",
          "norms": false
        },
        "month": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "myloglevel": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "mymessage": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "mytime": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "request": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "response_code": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "response_size": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "status": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "tags": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "time": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "timestamp": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "type": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "user_agent": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "verb": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "year": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        }
      }
    }
  }
}

How can I modify the mapping ?

4

Ideally the mapping has to be set at index creation time, but you can update it for future data to be ingested.
This is the API: Update mapping API | Elasticsearch Guide [8.7] | Elastic
There also a very nice blog about it that matches your use case of ingesting via Logstash: ​Little Logstash Lessons: Using Logstash to help create an Elasticsearch mapping template | Elastic Blog

5

Hi @JackieLaFrite,

Adding time.keyword and type.keyword fields to the table will allow sorting by them (instead of time and type fields with "text" type).

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.