Index template resulting in missing all fields in kibana

Deny7 · May 14, 2020, 9:32am

Hi, I defined template on existing index. But when the template is applied on index creation, all fields dissapear in kibana. I cant see any error in logs. Without template defined its showing data. Can anybody help?

Kibana:

My template:

PUT _template/test-temp
{
   "index_patterns":[
      "test-temp-access*"
   ],
   "settings":{
      "number_of_shards":2
   },
   "mappings":{
      "_source":{
         "enabled":false
      },
      "properties":{
         "@timestamp":{
            "type":"date"
         },
         "created_at":{
            "type":"date",
            "format":"EEE MMM dd HH:mm:ss Z yyyy"
         },
         "bytes":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "client":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "client2":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "duration":{
            "type":"long"
         },
         "host":{
            "properties":{
               "architecture":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "hostname":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "name":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "os":{
                  "properties":{
                     "codename":{
                        "type":"text",
                        "fields":{
                           "keyword":{
                              "type":"keyword",
                              "ignore_above":256
                           }
                        }
                     },
                     "platform":{
                        "type":"text",
                        "fields":{
                           "keyword":{
                              "type":"keyword",
                              "ignore_above":256
                           }
                        }
                     }
                  }
               }
            }
         },
         "email":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "email2":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "http_method":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "http_version":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "message":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "referrer":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "remote_ip":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "response_code":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "tags":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "url":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "user_name":{
            "type":"text",
            "fields":{
               "keyword":{
                  "type":"keyword",
                  "ignore_above":256
               }
            }
         },
         "geoip":{
            "properties":{
               "city_name":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "continent_code":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "country_code2":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "country_code3":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "country_name":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "dma_code":{
                  "type":"long"
               },
               "ip":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "latitude":{
                  "type":"float"
               },
               "location":{
                  "properties":{
                     "lat":{
                        "type":"float"
                     },
                     "lon":{
                        "type":"float"
                     }
                  }
               },
               "longitude":{
                  "type":"float"
               },
               "postal_code":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "region_code":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "region_name":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               },
               "timezone":{
                  "type":"text",
                  "fields":{
                     "keyword":{
                        "type":"keyword",
                        "ignore_above":256
                     }
                  }
               }
            }
         }
      }
   }
}

Logstash conf:

	else if([fields][log_type] == "test-temp-access") {
          	grok {
                patterns_dir => ["/etc/logstash/patterns"]
				break_on_match => false
                match => [ "message", "%{test-temp-access}"]
				remove_tag => [ "_grokparsefailure" ]
          	}
          	date{
                  	match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss +SSSS"]
                  	target => "timestamp_from_log"
          	}
			geoip {
                source => "client"
          	}
          	mutate {
                  	replace => {"[type]" => "test-temp-access"}
          	}

Grok Pattern:

%{IP:client}, %{IP:client2} - "%{DATA:email}" "%{DATA:email2}" \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" %{INT:status} %{NUMBER:bytes} "%{DATA:url}" "%{DATA:agent}" %{NUMBER:duration}

hunsw · May 14, 2020, 11:12am

I guess you should try with _source not disabled, i.e. remove

      "_source":{
         "enabled":false
      }

from mapping.

system · June 11, 2020, 11:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Template fields are missing fields on Kibana Elasticsearch	6	2557	July 6, 2017
Template upload results in fields missing from discovery page Kibana	3	597	June 14, 2017
Kibana not showing indexed fields Kibana	2	1851	July 6, 2017
Kibana doesn't see new index from elastic Kibana	6	1246	February 10, 2019
@timestamp is missing in Time-field name in Logstash template Logstash	10	3533	April 3, 2017

Index template resulting in missing all fields in kibana

Related topics