So my fields are being parsed and I see them in Kibana when I run queries, but all my parsed fields are listed as "unknown" for their data types. Also, if I try to create a visualization, it's not listing any of my parsed fields, only the text message fields which is how the Apache log came in. I'm fairly new to ELK, so I'm still trying to figure things out using the current version (5.0) I have Filebeat processing Apache logs and sending them to Logstash for processing.
you need to refresh your index
go to Kibana->settings->indecies-> the index name you will see a table of "Known" fields and there will be a fresh button on top. Hit that and you will see the "Count" of fields go up and you should be able to find your new fields in that table now.
4 Likes
That worked! Thank you so much!
Adrian
Follow up question, is there a way for me to specific the data type for specific fields? For example, I noticed that the IP fields got classified as text.
that is a bit more complex
Check this out
https://www.elastic.co/guide/en/elasticsearch/reference/current/ip.html
but I am weaker on this subject which I would open a seperate thread , and provide your current mapping and example document (JSON from Elastic) . That would be the info they would need for others to help you
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.