Domain name in hostname is treated as separate field

Elastic Stack Kibana
#1

Hi,

I'm in position of migrating from former ELK stack to the latest one
So I have 2 environments:
Redis -> Logstash(v1.4.2) -> ES(v1.4.2) -> Kibana(v3.1.0)
Redis -> Logstash(v1.5.2) -> ES(v1.7.1) -> Kibana(v4.0.2)

So I have both ES instances with the duplicate indexes. Now is experimenting with charts.
Problem:
When I create piechart with Term 'host.raw'(and with 'host' also) it shows all hosts plus domain name as separate field. Please note that it is showing properly in Kibana3.

What am I doing wrong?

Thanks ahead
Sergey

#2

It shouldn't be doing that on the .raw field.
It might help if you show us the mapping for the index.

1 Like
#3

Hi Mark,

Let me clarify my issue, narrowed today and what I found - it seems that any type .raw filed is not working. It just doesnt update pie chart when I select raw field at all. If I choose some raw field initially when creating pie chart, it shows _all message and seems sum up all documents.
Below is cut of index mapping(it's quite big so I paste only one type, rest are the same):

curl -XGET localhost:9200/logstash-2015.08.15/_mapping?pretty
{
"logstash-2015.08.15" : {
"mappings" : {
"syslog-oom" : {
"properties" : {
"@timestamp" : {
"type" : "date",
"format" : "dateOptionalTime"
},
"@version" : {
"type" : "string"
},
"host" : {
"type" : "string"
},
"info" : {
"type" : "string"
},
"message" : {
"type" : "string"
},
"path" : {
"type" : "string"
},
"process" : {
"type" : "string"
},
"source" : {
"type" : "string"
},
"tags" : {
"type" : "string"
},
"timestamp" : {
"type" : "string"
},
"type" : {
"type" : "string"
}
}
},

Thanks
Sergey

#4

According to your mappings you don't have any .raw fields so it's not surprising that they don't work. Are you defining your own index template? What's in it?

1 Like
#5

User error!
I missed my indexes' template! Now it's fixed

Thanks all

#6