Index fields with keyword

Jan_Kaspar · June 30, 2019, 5:43pm

Hi All,

I made upgrade of ELK 7.1.1 to ELK 7.0. I upgraded also one of 10 metrcibeat from 7.1.1 to 7.2.

upgraded host disappear from build in visualize Top Hosts By CPU (Realtime) [Metricbeat System] ECS.

I fouind that it is caused in group by section in By field. There was host.name and it works for all 7.1.1 and now upgraded server have field host.name.keyword. How to solve this?

default output in metrixbeat is logstash. logstash is configured by ths way:

hosts => ["192.168.5.5:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"

Thanks

Jan

Marius_Dragomir · July 5, 2019, 1:54pm

You can edit the visualization and change from the host.name to host.name.keyword or you can use the mutate filter in Logstash to copy the field to the missing one:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html

But these would be ugly fixes, i'd recommend you upgrade all metricbeat instancesto the same version and then do the dashboard setup with the new 7.2 dashboards.

system · August 2, 2019, 1:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Host.hostname field_data issue with SIEM and auditbeat SIEM	1	431	May 5, 2020
Missing fields in Kibana Elasticsearch	2	441	January 16, 2021
Metricbeat to Logstash to ElasticSearch - Cannot See Any Hosts Defined, But Data Is Definitely Coming In Kibana	9	2000	July 12, 2021
Auditbeat: Broken kibana dashboards – missing .keyword in the fields Beats auditbeat	5	126	June 18, 2024
Logstash Pipeline Translate Filter Logstash	5	483	November 1, 2019

Index fields with keyword

Related Topics