I specify a field to be included in a rollup job. Example: windows.service.display_name
Then, when looking through the rolled up index, that data is under the field: windows.service.display_name.terms.value
I haven't been able to find a good answer to this. Thanks.
This is expected behavior. Rollup indices have special internal field naming which are different from original field names. However you can still query (and visualize) against the original field names.
Okay, then is it still possible to create a visualization with both 'live' and rolled up data if the field names differ?
Yes it is! You simply need to create an index pattern with the rollup index name, plus the live data wildcard, for example rollup_logstash,logstash-*. The index pattern will populate the normal field names. Example in docs: https://www.elastic.co/guide/en/kibana/current/visualize-rollup-data.html
Okay, so it 'auto-magically' knows which names to map then for visualizations?
Thanks for that info!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.