I am creating a couple of bar-charts from Logstash-data and I do a split chart to differentiate a couple of servers. I do that by using a sub aggregation "Terms" and use the field hostname.raw.
Now I see for several servers that they appear twice in the chart as the following:
Is there a way to combine them when splitting them automatically by Hostname.raw? I could use host.raw but that gives me an IP-addressand I'd really prefer DNS-names.
You could potentially use a script or if you have a small number of hostnames, you could use the filters aggregation to create a bucket for each host.
But really the best thing to do here would be to fix the problem in the data. Why are you getting different values in hostname.raw for the same host in the first place? Can you modify your log data or use logstash to normalize this data before it gets to Elasticsearch? Having good data always makes things much easier down the road.
Thanks, I will have a look at those links on Monday.
I thought about why I get those different host names as well but I have no clue. I use only one filter for Windows logs and the logs come from nxlog. It is weird…
I will look into that more on Monday, too.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.