Do I need to add new field manually in Elasticsearch?

marsa099 · December 20, 2017, 1:45pm

Hi!
I'm using an ELK setup where I use Grok to filter data inside Logstash. I have defined my Grok filters inside of 02-filebeats-input.conf file like below and I wonder if I in some Elasticsearch way have to manually add the new fields I specified in the Grok filter (queue and windowsize for instance).

The reason why I'm asking is because I cannot see the fields windowsize or queue in Kibana's discover view -> available fields. I can only see them if all my shown results contain this field.

filter {
  grok {

     match => { "message" => "%{TIMESTAMP_ISO8601} %{LOGLEVEL} SomeManager: <ChangeQueue gate: %{GREEDYDATA:**queue**}> window size (in|de)creased to %{INT:**windowsize**}" }

     match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log_level} %{USERNAME:service_name}: %{GREEDYDATA:contents}" }

  }
}

Nathan_Reese · December 20, 2017, 4:02pm

Elasticsearch will automatically add the new fields to the index mapping. However, the index pattern needs to be refreshed in Kibana in order for the new fields to show up in Kibana. Go to Management -> Index Patterns and select your Index Pattern. Then click the refresh field list button in the upper right corner.

marsa099 · December 20, 2017, 4:53pm

Thanks!!

system · January 17, 2018, 4:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Adding new fields from grok filter in logstash Logstash	1	546	November 20, 2018
Index a new filebeat custom field Kibana	3	1235	July 24, 2018
Configure Kibana with default fields Kibana	4	1649	September 20, 2021
Logstash - adding new fields Logstash	3	4343	February 11, 2017
Unable to get the new field in Kibana, defined in logstash! Logstash	1	274	January 16, 2019

Do I need to add new field manually in Elasticsearch?

Related topics