'field' data is not getting in the Y-axis

ksb25 · July 6, 2017, 4:11pm

Hello,

I need to parse vmstat logs in custom format, my log format is as below, first column is time is UNIX format.

1498612544 procs -----------memory---------- ---swap-- -----io---- -system-- ----cpu----
1498612544 r b swpd free buff cache si so bi bo in cs us sy id wa
1498612544 5 0 0 41568 130040 180904 0 0 1649 871 1581 1390 41 22 36 1
1498619874 4 0 0 42504 109584 200984 0 0 1549 915 1585 1386 43 19 36 1
1498622121 4 0 0 43100 109152 201240 0 0 1542 911 1580 1361 42 21 36 1

I can find all the data in the Kibana-Discover with correct timestamp (converted from UNIX to normal time. But when I try to plot Line-Graph, on Y-Axis I get only the aggregated number (count/average etc), but I want to plot time vs selected data. My config is as below:-

filter{
    if [message] =~ "procs --" or [message] =~ "r  b   swpd"{
	drop {}
}

grok {
    match => 
    { 
		"message" => "%{INT:vmstat_time} +%{INT:proc_r} +%{INT:proc_b} +%{INT:mem_swpd} +%{INT:mem_free} +%{INT:mem_buff} +%{INT:mem_cache} +%{INT:swp_si} +%{INT:swp_so} +%{INT:io_bo} +%{INT:io_bo} +%{INT:system_in} +%{INT:cpu_cs} +%{INT:cpu_us} +%{INT:cpi_sys} +%{INT:cpi_id} +%{INT:proc_wa}" 
    }
}

date {
     match => [ "vmstat_time","UNIX" ]
}
    
mutate {
    strip => ["time_stamp"]
}

}

Thanks in advance.

thomasneirynck · July 7, 2017, 4:41pm

hi @ksb25,

After you have added your data, how is your data listed in the Index Pattern overview (Management > Index Pattern). Are your fields present there and listed as searchable and aggregatable?

this might also be more like a logstash question than a Kibana one, so maybe this is something for the https://discuss.elastic.co/c/logstash forum instead.

system · August 4, 2017, 4:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.