I need to index my field as type=keyword as oppose to type=text


(Utkarsh Sanadhya) #1

I need to index my field as type=keyword as oppose to type=text, since I need to create dashboard using the fields which are tagged as type text and I am not able to create one.

Below is my config file:

input 
{
	file {
		path => "C:/Users/utkarsh.sanadhya/Desktop/elasticsearch_course/Data/logs/Sixteen.txt"
		type => "json"
		start_position => "beginning"
	}
	
}



filter {

 dissect { 
     mapping => { "message" => "%{ts} %{+ts} %{+ts} %{a} %{b}: [%{level}][%{c}][%{d}@%{e}: %{msg}" } 
	     }
  json { source => "msg" }
  
  }
  


	   
output 
{
    stdout {
		codec => dots
	}

 	elasticsearch {

  	}
	
}

Below is snippet of my log file:

Dec 26 00:32:50 ServerName mars-auth-capture: [INFO ][mars][auth-capture]@cee: {"profile":"http://cee.mitre.org/1.0-beta1/coreprofile","host":"a.b.c.d","pname":"mars-auth-capture","native":{"request_timestamp":"12/26/18 00:20:46","request_protocol":"HTTP/1.1","request_method":"POST","request_url":"/cgi-bin/WebObjects/tsweb-marsweb.woa/6/wo/rdAc6opdpQoEmV4hnQogPM/2.19.1","**request_header_x_forwarded_for**":"e.f.g.h","request_username":"username","response_header_set_cookie":"rdAc6opdpQoEmV4hnQogPM","response_auth_result":"error occurred"}}

I need to create dashboard using fields request_header_x_forwarded_for and request_username from the log file.

Any help/suggestion is appreciated.

Regards,
Utkarsh


(David Pilato) #2

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.


(Utkarsh Sanadhya) #3

Hi,

Edited as directed.

Regards,
Utkarsh


(David Pilato) #4

Note that you need to format just the code part. Not all the text.
I'm editing your posts.


(David Pilato) #5

Did you define a mapping in elasticsearch?


(Utkarsh Sanadhya) #6

I have not done anything explicitly. I just sent the logs using logstash. Once my logs were imported, I was trying to create the dashboard but was not able to use the fields.

You want me to delete the log file and then update the mapping as per the desired type? If yes, then m not very sure on how to do it.


(David Pilato) #7

Yes. That's what you need to do.

See https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-put-mapping.html


(Utkarsh Sanadhya) #8

Hi,

I indexed my fields manually but now they are not appearing in Discover Tab. I need those fields to create dashboards. I have updated the time filter on top right corner as well. I can see my entry in Management Tab though. Please help.

Regards,
Utkarsh


(David Pilato) #9

You should ask a new question in #kibana and provide more details probably on what you are seeing.


(system) closed #10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.