How can I rename and reorder fields in Kibana?

dolanmk · June 13, 2019, 8:53am

Hi.

I am wondering if there is a way to rearrange the list of fields as they are presented when a document is expanded like in the picture below.

I am also wondering if it is possible to rename the "@timestamp" field. For my logs I have a date field, "logdate", that is based on when the logs were originally created along with the "@timestamp" field for when they were sent to ES. I am hoping to rename "@timestamp" to something more descriptive like "stashdate" so that other users do not get confused by the two date fields.

Thank you so much!!

Stacey_Gammon · March 24, 2017, 6:23pm

Unfortunately neither are possible in kibana currently, though we do have a popular request for field name aliases here: https://github.com/elastic/kibana/issues/1896. How are you ingesting your data? Perhaps you can change the name at that level?

dolanmk · March 24, 2017, 6:36pm

Thank you for the prompt reply! I am using Grok patterns to bring the data into ES through Logstash. I tried using the Logstash mutate filter plugin to rename @timestamp but got an error in the console about there being no @timestamp field. Is there another option to rename it before it is sent to Elasticsearch? Maybe copying the values to another field with a different name and then using remove_field for @timestamp?

Stacey_Gammon · March 24, 2017, 7:10pm

You should be able to do this by giving the time field a custom field name, and then using the date filter plugin to make sure it's captured as a date type.

This discuss post outlines steps: Converting string to date

dolanmk · June 13, 2019, 8:53am

Thanks, Stacey! I have added a new field with same value as @timestamp with following code:

Is there anyway to remove the @timestamp field, or at least keep it from being visible in Kibana?

Thanks again!

Stacey_Gammon · March 28, 2017, 11:23am

hmm, it does look like there is, as mentioned in the above blog post:

For bonus points, you can remove the now-superfluous timestamp field (since you overwrote @timestamp), by adding remove_field => "timestamp" to your date filter block. This will only delete the timestamp field upon successful conversion. This way you're not filling up your indices with a redundant timestamp field.

But it looks like you aren't using the date filter to achieve the second time field, so perhaps those instructions won't work. Have you checked out remove_field available in the ruby filter. Take a look at these docs:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-ruby.html#plugins-filters-ruby-remove_field

Maybe that will do the trick!

dolanmk · March 28, 2017, 2:37pm

I've tried using the mutate filter to name @timestamp and the ruby filter to remove the field but I get the following error each time:

An unexpected error occurred! :error => timestamp field is missing

system · April 25, 2017, 2:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.