Hi,
Below is the content of a field say "Field1" when we do Discover with an index on Kibana dashboard. I want to extract value of a particular subfield like Request Size or Request IP or any other and visualize on Kibana.
How could we implement this? Are there any filter plugins or other ways to approach this.
{
"API Details": {
"API Name": "api1"
"API Version": "v1"
"Request Size": "1101"
" Request IP": "10.17.192.201"
}
}
The "Field1.API Details.Request Size" and "Field1.API Details.Request IP" fields will be available as-is, but if you want a shorter field name you can use a mutate filter to either rename the existing fields or copy them. Just mind the notation used for nested fields: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references
Thanks for the response.
How could we access "Field1.API Details.Request Size" or "Field1.API Details.Request IP" to display on Kibana. When I do Sub Aggregation by Terms, I am able to see "Field1" only in the drop down.
Have you refreshed the field list in Kibana?
If yes, please show an example document (copy/paste from Kibana's JSON tab) and a screenshot of what you just described.
Yes Magnus , I refreshed the field list in Kibana, but not able to find.
I put below the excerpts of json file.
{
"_index": "filebeat-2018.03.13"
"_type": "log"
"_version": "1"
"Field1": "{\n "API Details" : "{\n "API Name": "api1",\n "API Version": "v1",\n "Request Size": "1101",\n "Request IP": "10.17.192.201",\n }\n }
}
For some security reasons , I am not able to put the screenshot while I would like to explain you the scenario in bit detail for your understanding.
Scenario:
In Visualization section of Kibana, I select a "Table", then "Add Subucket" -> "Split Rows" -> "Sub Aggregation" by Terms -> "Select a Field" . But in the dropdown field section , only I can see Field1.keyword .
I am still not able to find "Field1.API Details.Request Size" or "Field1.API Details.Request IP".
Could you please provide your insights.
Okay, that explains things. The Field1 field is a JSON string that you need to parse with a json filter.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.