Hi,
I use logstash's syslog plugin to collect logs, searching elastic search
and kibana for the same object gives different results in the _source
field...
Elasticsearch version 1.4.0, Kibana 4.0.0-BETA2
When querying elasticsearch with curl I get:
curl -XGET http://localhost:9200/logstash*/_search?pretty
stml@riakcs:~/work/java/elasticsearch/data/stml_elasticsearch/nodes/0/indices$
curl -XGET
'http://localhost:9200/logstash*/_search?pretty&q=_id:AUoVYl3Ayvv7Nc0uRA6X'
{
"took" : 7,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 1,
"max_score" : 1.0,
"hits" : [ {
"_index" : "logstash-2014.12.04",
"_type" : "syslog",
"_id" : "AUoVYl3Ayvv7Nc0uRA6X",
"_score" : 1.0,
"_source":{"message":"pam_authenticate: Authentication
failure","@version":"1","@timestamp":"2014-12-04T12:59:35.000Z","type":"syslog","host":"0:0:0:0:0:0:0:1","priority":83,"timestamp":"Dec
4
13:59:35","logsource":"riakcs","program":"su","pid":"15292","severity":3,"facility":10,"facility_label":"security/authorization","severity_label":"Error"}
} ]
}
}
But in Kibana I get:
@timestamp December 4th 2014, 13:59:35.000 @version 1 _id
AUoVYl3Ayvv7Nc0uRA6X _index logstash-2014.12.04 _source {"message":"pam_authenticate:
Authentication
failure","@version":"1","@timestamp":"2014-12-04T12:59:35.000Z","type":"syslog","host":"0:0:0:0:0:0:0:1"}
_type syslog host 0:0:0:0:0:0:0:1 message pam_authenticate:
Authentication failure type syslog
Missing a lot of fields in _source...
I would have expected these views of the same field to be alike...have I
misunderstood something
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/25a96d8d-6e51-4e48-8294-14bd9b52be34%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
I simply can't