Can't sort by column/field in Kabana

JackieLaFrite · April 13, 2023, 1:00pm

Hello, I'm currently implementing ELK on my environment to retrieve the logs and I got a problem.

In the discover tab, I can't sort a column. I can only sort by the @Timestamp.

I would like to be able to sort by the column time or type. Here is my logstash.conf :

input {
  file {
    path => "/var/log/serverlogs/manager.*.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline {
	  pattern => "^\s"
	  what => "previous"
    }
    type => "manager"
  }
}

filter{
	if [type] == "manager" {
		grok{
			match => {"message" => [
				"%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} %{LOGLEVEL:log_level} %{GREEDYDATA:message_of_log}"
			]}
		}
	}
}

Marius_Dragomir · April 15, 2023, 3:22am

Can you post the mapping that you have for that index? sort will work depending on the field type. As far as I know you can sort on datetime, numeric and keyword fields. You can change the time field to be "numeric" in miliseconds and then set as "human readable" and "duration" type in the field formatter in Kibana. (that will be available in the Data Views menu)

JackieLaFrite · April 15, 2023, 3:50pm

Hi, thanks for your answer.

Here is the data views page :

And here is the field that I need to modify but I can't :

I got the mapping with this command in the console (but i'm not sure that this is the mapping of the index of this dataview, because I only have the index pattern as information) :

GET /logstash/_mapping

Here is the mapping :

{
  "logstash-2023.03.28-000001": {
    "mappings": {
      "dynamic_templates": [
        {
          "message_field": {
            "path_match": "message",
            "match_mapping_type": "string",
            "mapping": {
              "norms": false,
              "type": "text"
            }
          }
        },
        {
          "string_fields": {
            "match": "*",
            "match_mapping_type": "string",
            "mapping": {
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              },
              "norms": false,
              "type": "text"
            }
          }
        }
      ],
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "@version": {
          "type": "keyword"
        },
        "auth": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "bytes": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "client": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "client_ip": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "day": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "event": {
          "properties": {
            "original": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              },
              "norms": false
            }
          }
        },
        "geoip": {
          "dynamic": "true",
          "properties": {
            "ip": {
              "type": "ip"
            },
            "latitude": {
              "type": "half_float"
            },
            "location": {
              "type": "geo_point"
            },
            "longitude": {
              "type": "half_float"
            }
          }
        },
        "host": {
          "properties": {
            "name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              },
              "norms": false
            }
          }
        },
        "http_version": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "httpversion": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "ident": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "log": {
          "properties": {
            "file": {
              "properties": {
                "path": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "type": "keyword",
                      "ignore_above": 256
                    }
                  },
                  "norms": false
                }
              }
            }
          }
        },
        "logLevel": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "message": {
          "type": "text",
          "norms": false
        },
        "month": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "myloglevel": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "mymessage": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "mytime": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "request": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "response_code": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "response_size": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "status": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "tags": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "time": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "timestamp": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "type": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "user_agent": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "verb": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        },
        "year": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          },
          "norms": false
        }
      }
    }
  }
}

How can I modify the mapping ?

Marius_Dragomir · April 15, 2023, 9:18pm

Ideally the mapping has to be set at index creation time, but you can update it for future data to be ingested.
This is the API: Update mapping API | Elasticsearch Guide [8.7] | Elastic
There also a very nice blog about it that matches your use case of ingesting via Logstash: Little Logstash Lessons: Using Logstash to help create an Elasticsearch mapping template | Elastic Blog

jughosta · April 17, 2023, 8:31am

Hi @JackieLaFrite,

Adding time.keyword and type.keyword fields to the table will allow sorting by them (instead of time and type fields with "text" type).

system · May 15, 2023, 10:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.