However, you'll notice that it's pulling as an int, which is exactly what I want. The weird part is, I can't seem to pull ANYTHING when I ask to grab log entries below a certain level (remove the downtime pieces)
When I ask for event.duration < 4000 I get exclusively 0.0's back. When I add "And event.duration > 0.0" I get nothing back at all.
When I hit the edit button next to the mapping, it has an "input" and "output" section. The "Input" was set to nanoseconds, while the "Output" was set to milliseconds. While I didn't want to change either of these for fear of breaking shit, I DID realize that if I want to see counts under 10,000 ms (as they are displaying) I ACTUALLY need to add 6 zero's for converting to nanosecnds. So the filter "event.duration > 10000000000" works exactly how I need it. Thanks!
Glad you got it to work, good job on figuring it out! It’s a little confusing the table is applying the format while the query isn’t, definitely good feedback
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
