Hello,
i have two modules activated Apache and tomcat,, i want to store logs of this two in two different indices for better result but i am not able to get how to do that.
please help me to set this configuration in my filebeat.
i am using Elasticsearch, Filebeat & kibana
Hi,
Thanks for the reply.
I have another query,.
Now the scenerio is i want to create visualization to check which error occurs how much time in given timeframe,
my apache error is showing in "message" field but when i am creating visualization for it i am unable to get that that field to include, can you please tell me why is this happening and any suggestions are also welcome.
What kind of visualization? Message is a text field so your ability to put it in a visualization maybe limited.
I want to see top 5 errors in given duration and count for that each top 5 errors
Shriram Wasule
Computer Engineer
9764324411 |
shriramwasule@gmail.com
Unless the field is mapped as both text and keyword I don't think u can do sorting and aggregation of the message field
Okay..so how can I achieve that?
Shriram Wasule
Computer Engineer
9764324411 |
shriramwasule@gmail.com
so first check the mapping for the indices that you're interested in, Get mapping API | Elasticsearch Guide [7.12] | Elastic. Then if the message field is not mapped as both update the index/index template to use a multi field mapping for that field, fields | Elasticsearch Guide [7.12] | Elastic.
Thank you fro reply,
i did tries to follow mentioned steps
i am getting this error after running following
PUT filebeat-7.12.0-2021.03.30-000001
{
"mappings": {
"properties": {
"message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
Error:
{
"error" : {
"root_cause" : [
{
"type" : "resource_already_exists_exception",
"reason" : "index [filebeat-7.12.0-2021.03.30-000001/] already exists",
"index_uuid" : "",
"index" : "filebeat-7.12.0-2021.03.30-000001"
}
],
"type" : "resource_already_exists_exception",
"reason" : "index [filebeat-7.12.0-2021.03.30-000001/] already exists",
"index_uuid" : "",
"index" : "filebeat-7.12.0-2021.03.30-000001"
},
"status" : 400
}
my use case is like i want to create a data table for apache errors,
like which error is comes how many times, inshort count of each error occured, but not able to see message filed during creation.
But i am still can't see that message field with message.keword in visualization
you can't do it for an index that already exists. You either need to update the template or create a new index. I would create a new index and add some data just to test that it works and does what you want.
okay, thanks,
so how can i update my template with this changes in field?
Update mapping API | Elasticsearch Guide [7.12] | Elastic and Create or update index template API | Elasticsearch Guide [7.12] | Elastic. You can also update the index template mapping from in Kibana in the Index Template admin page.