I'm new to the elastic stack. Trying to visualize some data from our squid proxies and am having trouble. I've set a field in the grok filter to specifically set the type to number like so:
%{NUMBER:reply_size_include_header}
But when I view the fields in the Kibana index patterns page, it's classifying it as a string and not a number so I can't do generate some graphs. The data itself is parsed correctly. I don't know enough about these products to know where to look. Anyone seen this kind of issue before?
When you say you set the field in the grok filter, where did you do this exactly?
If you goto Management > Index Patterns and select your index pattern. Then, click the refresh button in the top right-hand corner of the screen. After doing that, what does the row includes for this column?
So in /etc/logstash/conf.d I created a .conf file for the squid logs and within the grok filter I specifically set for the reply_size_include_header field to be a number like shown in my first post. If I go to Management -> Index Patterns and refresh it shows string for both the reply_size_include_header and reply_size_include_header.keyword fields. The value itself in the log is a number so it’s not like it needs to do any conversions.
Now I'm noticing in Kibana that there's a conflict on the field type. The two choices that I have is URL and String which doesn't really make much sense at all.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.