Kibana 3 and changing the default field from _all to message


(Brian Yoder) #1

I have this typical document being indexed by logstash. The following shows
the document in rubydebug mode and not as JSON, but when converted to JSON
and indexed the field names and values are the same (in other words, the
syntax below isn't one-line JSON but it's clearer to read):

{
"message" => "2014-06-13 16:15:18,431 foo=1 bar=3 text="quoted
strings work" assist=true",
"@version" => "1",
"@timestamp" => "2014-06-13T16:15:18.431Z",
"host" => "blacksheep",
"foo" => "1",
"bar" => "3",
"text" => "quoted strings work",
"assist" => "true"
}

In preparation for the best possible performance, I disabled the _all field
from all my logstash-* indices. It isn't needed, as the message field
contains all of the original message's text anyway. And the _all field
wastes time during indexing and space on disk.

But all of the answers to the question "How can I configure Kibana to use
the message field as the default and not the _all field" seem to apply to
Kibana 1 and 2, the ruby versions. There is no RubyConfig.rb file in Kibana
3. And I cannot find any reference to the _all field, only to all indices
(which I broke nicely when fumbling around; it applied only to indices as I
quickly discovered).

Telling people to query for message:work instead of just work does not
endear me to them.

Is there some way to configure Kibana 3 to change the default field in its
Lucene query to message instead of _all?

Thank you in advance!

Brian

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b7b6d6d1-5690-496e-bdb1-1ee33b027b12%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Brian Yoder) #2

Ok, it's not a Kibana issue, but my Elasticsearch configuration issue. I
could fix it in the elasticsearch.yml file, but I believe it's much safer
to fix it in my less-likely-to-be-altered start-up script wrapper.

So now when I start ES via the bin/elasticsearch script, but only on behalf
of the ELK stack, I add the following option to the command line:

-Des.index.query.default_field=message

And now, my default field for a Kibana (Lucene) query is message and not
_all.

And _all is well (pun intended!).

Brian

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/84b63fe8-523b-43f4-8522-6b8d392ff63c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(system) #3