I need to index my field as type=keyword as oppose to type=text

utki · 2019-01-09 11:53:51 UTC

I need to index my field as type=keyword as oppose to type=text, since I need to create dashboard using the fields which are tagged as type text and I am not able to create one.

Below is my config file:

input 
{
	file {
		path => "C:/Users/utkarsh.sanadhya/Desktop/elasticsearch_course/Data/logs/Sixteen.txt"
		type => "json"
		start_position => "beginning"
	}
	
}



filter {

 dissect { 
     mapping => { "message" => "%{ts} %{+ts} %{+ts} %{a} %{b}: [%{level}][%{c}][%{d}@%{e}: %{msg}" } 
	     }
  json { source => "msg" }
  
  }
  


	   
output 
{
    stdout {
		codec => dots
	}

 	elasticsearch {

  	}
	
}

Below is snippet of my log file:

Dec 26 00:32:50 ServerName mars-auth-capture: [INFO ][mars][auth-capture]@cee: {"profile":"http://cee.mitre.org/1.0-beta1/coreprofile","host":"a.b.c.d","pname":"mars-auth-capture","native":{"request_timestamp":"12/26/18 00:20:46","request_protocol":"HTTP/1.1","request_method":"POST","request_url":"/cgi-bin/WebObjects/tsweb-marsweb.woa/6/wo/rdAc6opdpQoEmV4hnQogPM/2.19.1","**request_header_x_forwarded_for**":"e.f.g.h","request_username":"username","response_header_set_cookie":"rdAc6opdpQoEmV4hnQogPM","response_auth_result":"error occurred"}}

I need to create dashboard using fields request_header_x_forwarded_for and request_username from the log file.

Any help/suggestion is appreciated.

Regards,
Utkarsh

dadoonet · 2019-01-09 12:47:52 UTC

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.

utki · 2019-01-10 06:52:48 UTC

Hi,

Edited as directed.

Regards,
Utkarsh

dadoonet · 2019-01-10 07:57:19 UTC

Note that you need to format just the code part. Not all the text.
I'm editing your posts.

dadoonet · 2019-01-10 07:59:42 UTC

Did you define a mapping in elasticsearch?

utki · 2019-01-10 08:41:01 UTC

I have not done anything explicitly. I just sent the logs using logstash. Once my logs were imported, I was trying to create the dashboard but was not able to use the fields.

You want me to delete the log file and then update the mapping as per the desired type? If yes, then m not very sure on how to do it.

dadoonet · 2019-01-10 08:56:44 UTC

Yes. That's what you need to do.

See https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-put-mapping.html

utki · 2019-01-17 09:02:06 UTC

Hi,

I indexed my fields manually but now they are not appearing in Discover Tab. I need those fields to create dashboards. I have updated the time filter on top right corner as well. I can see my entry in Management Tab though. Please help.

Regards,
Utkarsh

dadoonet · 2019-01-17 10:05:56 UTC

You should ask a new question in #kibana and provide more details probably on what you are seeing.

system · 2019-02-14 10:05:57 UTC

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.