Hello,
i have two modules activated Apache and tomcat,, i want to store logs of this two in two different indices for better result but i am not able to get how to do that.
please help me to set this configuration in my filebeat.
i am using Elasticsearch, Filebeat & kibana
Hi,
Thanks for the reply.
I have another query,.
Now the scenerio is i want to create visualization to check which error occurs how much time in given timeframe,
my apache error is showing in "message" field but when i am creating visualization for it i am unable to get that that field to include, can you please tell me why is this happening and any suggestions are also welcome.
What kind of visualization? Message is a text field so your ability to put it in a visualization maybe limited.
I want to see top 5 errors in given duration and count for that each top 5 errors
Shriram Wasule
Computer Engineer
9764324411 |
shriramwasule@gmail.com
Unless the field is mapped as both text and keyword I don't think u can do sorting and aggregation of the message field
Okay..so how can I achieve that?
Shriram Wasule
Computer Engineer
9764324411 |
shriramwasule@gmail.com
so first check the mapping for the indices that you're interested in, Get mapping API | Elasticsearch Guide [7.12] | Elastic. Then if the message field is not mapped as both update the index/index template to use a multi field mapping for that field, fields | Elasticsearch Guide [7.12] | Elastic.
Thank you fro reply,
i did tries to follow mentioned steps
i am getting this error after running following
PUT filebeat-7.12.0-2021.03.30-000001
{
"mappings": {
"properties": {
"message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
Error:
{
"error" : {
"root_cause" : [
{
"type" : "resource_already_exists_exception",
"reason" : "index [filebeat-7.12.0-2021.03.30-000001/] already exists",
"index_uuid" : "",
"index" : "filebeat-7.12.0-2021.03.30-000001"
}
],
"type" : "resource_already_exists_exception",
"reason" : "index [filebeat-7.12.0-2021.03.30-000001/] already exists",
"index_uuid" : "",
"index" : "filebeat-7.12.0-2021.03.30-000001"
},
"status" : 400
}
my use case is like i want to create a data table for apache errors,
like which error is comes how many times, inshort count of each error occured, but not able to see message filed during creation.
But i am still can't see that message field with message.keword in visualization
you can't do it for an index that already exists. You either need to update the template or create a new index. I would create a new index and add some data just to test that it works and does what you want.
okay, thanks,
so how can i update my template with this changes in field?
Update mapping API | Elasticsearch Guide [7.12] | Elastic and Create or update index template API | Elasticsearch Guide [7.12] | Elastic. You can also update the index template mapping from in Kibana in the Index Template admin page.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.