How to handle unmapped fields

Elastic Stack Kibana
1 
filter {
  grok {
    id => "name school grok filter"
    match => { 'message' => '^.*name=\'%{WORD:student.name}\'.*school=\'%{WORD:student.school}\''}
  }
}

For example, with WORD:student.name I would like to create a field "student" and this field contains the information such as name. In Kibana "discover" I can see the logs, but it shows me that "student.name" is not mapped (Unmapped fields). How do I get that? I described the field under Index Management -> Index Templates -> Settings (from template). Still it doesn't work...

2

If you want nested fields/multi-fields:

%{WORD:[student][name]}
%{WORD:[student][school]}

You will get:

"student": { 
   "name": "some name",
   "school":  "school"
}
3

I tried that, unfortunately I get the same result. What else could I try?

4

You cannot mix a string/text and a JSON object.
The "student.name" is the text .[student][name] is a nested/JSON field.
Go to Kibana and check Data view, if is text/keyword, delete index or reindex or make a new and recreate the data view.

5

Please, share what you did here.

Did you create a template with the mapping for those fields?

If so, did you recreate the indice? Templates are only applied on index creation.

Also, in Logstash student.name is different from [student][name], the first is a field with a dot and the name and the second is a json object.

The first is this:

{ "student.name": "name" }

And the second is this:

{ "student": {  "name": "some name" } }

You need to create a mapping for the student field as a json object, and add a nested field for the name field with the correct mapping.

1 Like
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.