I've recently noticed an issue where I lose fields/mappings if I refresh the field list to add a newly parsed field in Kibana. The logs I have are coming from Filebeat and not only have the Filebeat fields, but custom fields parsed out from events from Filebeat. I currently have a template for Logstash to use upon writing to ES in /etc/logstash/, and I have also inserted the same template into ES with the curl command.
Again, I am still receiving the logs from Filebeat and syslog with those newly parsed fields with the yellow warning icon saying that there is no cached mapping for the field. If anyone could offer any assistance, it would be greatly appreciated.
The problem with that is that I will lose the fields I already have in the .kibana index (?) Is it the Kibana index? I run into that if I refresh -- it makes it so that my dashboards/visualizations I already have loaded won't be able to load because there will be no mapping available for those other fields that disappear when I refresh.
So, whenever I try to send new logs in, and I don't already have all the other logs for which I have mappings for in Kibana, if I perform a refresh, I can cache the mapping for the new logs, but the mappings for some of the older logs (which I may send in later but don't currently have any) are lost.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.