mathurin68
December 2, 2017, 3:23pm
1
With alot of help from the discussion board I'm getting closer to this...
I created a field ...
filter {
But the field isn't available in Machine learning
I event tried adding it directly to the JSON for the ML job and that didn't seem to work.
What am I doing wrong now?
dmitri
December 4, 2017, 11:02am
2
Hi Matt,
Could you use the get-field-mappings API to see the mappings of the field you are creating?
mathurin68
December 4, 2017, 4:41pm
3
Thanks Dimitris, just when I thought I was sort of getting it...
This seems to work ...
filter {
and gives me -
and I guess looks ok in the json of the event in Discover -
....but nothing in by_field_name for Machine Learning
dmitri
December 4, 2017, 5:01pm
4
Could you compare the mappings of event_data.Suspicious to something that appears on that list, say event_data.SubStatus?
My guess is that the field name is actually just called Suspicious and not event_data.Suspicious.
Matt can you confirm?
mathurin68
December 4, 2017, 6:09pm
6
Not sure,
and ...
There is one in there... but I think it might be from a previous bungled attempts I made to add/copy the field, I seen to have both in the dev console but NOT available fields in ML -
"winlogbeat-2017.12.01": {
"winlogbeat-2017.12.04": {
dmitri
December 5, 2017, 10:41am
7
Hi Matt,
I have now confirmed copy_to fields are ignored from those drop-downs in the UI. This will be fixed in future release.
As a workaround, you can manually enter the field name in the JSON tab.
1 Like
system
January 2, 2018, 10:41am
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
