hello, when I open Kibana, the host mapping field in a search is showing as %{host2} and not the host name, I am not sure what config to look in to resolve this.
It looks like your Logstash configuration tries to reference a field named host2 but no such field existed for the event. Look into your Logstash configuration.
Thank you, in my logstash indexer config file, i have this under filter {
mutate {
replace => [ "host", "%{host2}" ]
I am guessing this is where the %{host2} is coming from, but I am not sure how to fix this.
It looks like other configs I have found on line.
I am guessing this is where the %{host2} is coming from, but I am not sure how to fix this.
You're relying on a host2 field to exist, but there is no such field. When and how is this field supposed to be created? It would help if you shows us your filter configuration and example messages.
I also suggest that you edit this post to move it to the Logstash category since it isn't a Kibana problem.
Thank you for the reply,
As I mentioned, I have inherited this, and am not very proficient in logstash/elasticsearch or kibana.
Here is what the filter section on my index server has.
filter {
grok {
match => [ "host", "^(?[0-2]?[0-9]?[0-9].[0-2]?[0-9]?[0-9].[0-2]?[0-9]?[0-9].[0-2]?[0-9]?[0-9]):.*" ]
}
mutate {
replace => [ "host", "%{host2}" ]
}
mutate {
remove_field => [ "host2" ]
}
if [type] == "WindowsEventLog" {
mutate {
lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
}
mutate {
rename => [ "Hostname", "source_host" ]
}
mutate {
gsub => ["source_host","\.example\.com",""]
}
date {
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ]
}
mutate {
rename => [ "Severity", "eventlog_severity" ]
rename => [ "SeverityValue", "eventlog_severity_code" ]
rename => [ "Channel", "eventlog_channel" ]
rename => [ "SourceName", "eventlog_program" ]
rename => [ "SourceModuleName", "nxlog_input" ]
rename => [ "Category", "eventlog_category" ]
rename => [ "EventID", "eventlog_id" ]
rename => [ "RecordNumber", "eventlog_record_number" ]
rename => [ "ProcessID", "eventlog_pid" ]
}
if [SubjectUserName] =~ "." {
mutate {
replace => [ "AccountName", "%{SubjectUserName}" ]
}
}
if [TargetUserName] =~ "." {
mutate {
replace => [ "AccountName", "%{TargetUserName}" ]
}
}
if [FileName] =~ "." {
mutate {
replace => [ "eventlog_channel", "%{FileName}" ]
}
}
mutate {
lowercase => [ "AccountName", "eventlog_channel" ]
}
mutate {
remove_field => [ "SourceModuleType", "EventTimeWritten", "EventReceivedTime", "EventType" ]
}
}
}
Well, there's nothing in the configuration you've shown that creates a host2 field. I don't know what you're trying to do.
Ah, wait. Look at this line:
match => [ "host", "^(?[0-2]?[0-9]?[0-9].[0-2]?[0-9]?[0-9].[0-2]?[0-9]?[0-9].[0-2]?[0-9]?[0-9]):.*" ]
I'm pretty sure you actually have <host2> or similar after the first question mark. Always format configuration file snippets as code to make sure they come through correctly.