Host metadata not parsing out correctly in ElasticSearch

fozboz · August 17, 2018, 2:45pm

I have Metricbeat 6.3.2 sending to Logstash 6.3.2 sending to ElasticSearch 6.3.0. I have enabled the beta add_host_metadata processor in Metricbeats.

In Kibana, the host field is showing like this.

{
  "os": {
    "family": "debian",
    "codename": "xenial",
    "version": "16.04.5 LTS (Xenial Xerus)",
    "platform": "ubuntu"
  },
  "architecture": "x86_64",
  "name": "myhost1",
  "id": "c2d8354c6253fb563beeebeb07b902b5",
  "containerized": false
}

where I would expect host.name, host.architecture, host.os.platform etc. fields to have been parsed to individual fields and be searchable.

I thought that it may have something to do with the default field mappings provided by Metricbeat which look like this.

        "host": {
          "properties": {
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "os": {
              "properties": {
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        },

so they do not explicitly define all of the fields. However, if I reindex the documents into a new index with the same index template, I get what I expect.

I am going to edit the index template now and define all of the fields, so tomorrow when the index rolls over it will pick up the new template and I will let you know the outcome. Any thoughts in the meantime?

fozboz · August 20, 2018, 1:30pm

Changing the index template did not make any difference

fozboz · August 20, 2018, 3:26pm

Moved to Kibana as it's clear to me now this is an issue I'm having with Kibana.

I just figured it out, it was an index pattern field mapping problem. Because I had old data which did not include the host metadata and just had the hostname as a string in the host field, Kibana was unable to resolve both mappings.

I recreated the index mappings to focus on more recent documents and the issue is fixed!

rashmi · August 20, 2018, 3:48pm

Glad that you posted your response back. It will be helpful for the community.

Cheers
Rashmi

system · September 17, 2018, 3:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana splitting up hostname as multiple fields in graphs Kibana	2	758	March 29, 2018
Infrastructure - host.name & metric are not displaying (properly) Metrics	9	1538	March 6, 2019
Kibana -> Infrastructure -> Metrics ->> Host Metadata Kibana	4	388	April 12, 2020
Unable to build kibana visualization with analyzed fields Kibana	5	346	April 24, 2018
Metricbeat to Logstash to ElasticSearch - Cannot See Any Hosts Defined, But Data Is Definitely Coming In Kibana	9	2010	July 12, 2021

Host metadata not parsing out correctly in ElasticSearch

Related topics