I was using Kibana and wondering which are the differences between using or
not an @ sign before field names. It seems that the default (as in
timepicker in the dashboard settings) is using the @ before a field but it
doesn't seem to work in my case. I need to set the Time Field in the
Timepicker with a field name and no @ before it to make it work.
The @timestamp field, created by logstash by default, has always worked
perfectly out-of-the-box with Kibana's time picker and also with curator.
Perhaps if you posted one document from your Elasticsearch response it
might help.
But I don't recommend that you create your own fields with @ as a prefix
character. Straying a bit from your question, I created some R scripts to
analyze and plot things in a way that neither Kibana nor Splunk can. What
I've noticed is that when I export as CSV, either from Elasticsearch or
from Splunk, and then import into R's CSV reader, I notice that:
Elasticsearch's @timestamp field becomes the X.timestamp field in R.
Splunk's _time field becomes the X_time field in R.
Which is one very good reason not to add a @ or _ to the front of your own
fields. It's a lot of extra hard-coded processing to figure out the source
and then choose the field using R when it's not the same name as the field
from Elasticsearch.
But I digress.
Brian
On Wednesday, October 29, 2014 1:20:10 PM UTC-4, Iván Fernández Perea wrote:
I was using Kibana and wondering which are the differences between using
or not an @ sign before field names. It seems that the default (as in
timepicker in the dashboard settings) is using the @ before a field but it
doesn't seem to work in my case. I need to set the Time Field in the
Timepicker with a field name and no @ before it to make it work.
thank you very much. I didn't understand why the @ symbol was used before
fields in Kibana, it is perfectly clear now.
I was simply saving some documents from spark streaming to elasticsearch
and I was using Kibana in order to show streaming data in a histogram
panel. My documents didn't have any @ symbol before their names and that's
why default timepicker wasn't using my timestamp field. As you said I think
it's better not to add the @ symbol to fields and just simply change it in
Kibana. That way works perfectly.
Thank you again!!
Iván.
El miércoles, 29 de octubre de 2014 21:10:09 UTC+1, Brian escribió:
The @timestamp field, created by logstash by default, has always worked
perfectly out-of-the-box with Kibana's time picker and also with curator.
Perhaps if you posted one document from your Elasticsearch response it
might help.
But I don't recommend that you create your own fields with @ as a prefix
character. Straying a bit from your question, I created some R scripts to
analyze and plot things in a way that neither Kibana nor Splunk can. What
I've noticed is that when I export as CSV, either from Elasticsearch or
from Splunk, and then import into R's CSV reader, I notice that:
Elasticsearch's @timestamp field becomes the X.timestamp field in R.
Splunk's _time field becomes the X_time field in R.
Which is one very good reason not to add a @ or _ to the front of your own
fields. It's a lot of extra hard-coded processing to figure out the source
and then choose the field using R when it's not the same name as the field
from Elasticsearch.
But I digress.
Brian
On Wednesday, October 29, 2014 1:20:10 PM UTC-4, Iván Fernández Perea
wrote:
I was using Kibana and wondering which are the differences between using
or not an @ sign before field names. It seems that the default (as in
timepicker in the dashboard settings) is using the @ before a field but it
doesn't seem to work in my case. I need to set the Time Field in the
Timepicker with a field name and no @ before it to make it work.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.