Hi all,
In Kibana, I am attempting to create a visualisation with a Terms sub-aggregation. The field being used contains a REST operation and resource path (e.g. "PUT /my/url/here").
The analysed string field is being split (e.g. /my/url ends up with "my" and "url" points on the graph). Instead, I would like to use the .raw field being created by Logstash (using the default template), however it is not displayed in the field dropdown in Kibana.
-
Versions being used: ES version 1.7.3, Logstash version 2.0.0, Kibana version 4.1.2
-
I have confirmed that my index is named correctly (default mapping used by Logstash. Index name matches the pattern logstash-*)
-
In ES (using Kopf), I have verified that the mapping for the field in question has a raw field:
"label": {
"norms": {
"enabled": false
},
"type": "string",
"fields": {
"raw": {
"ignore_above": 256,
"index": "not_analyzed",
"type": "string"
}
}
}, -
While discovering data, if I use a manual query of "label.raw:something", then results are returned. If I type "label.notraw:something", then nothing is returned - i.e. the raw field is definitely there, just isn't being displayed when I try to create my visualisation!
It just looks like the raw field is hidden from me in Kibana. I have spent quite a bit of time reading help articles and have verified everything that I have found, but am currently stumped! Am I missing something simple? I'm sure someone else has been in the same place and has managed to fix this.
I would really appreciate any help. Ideally I want to graph response times by REST call for our application (e.g. label values of "POST /my/url/here", "GET /my/url/here" etc), but at the moment this is holding me back.
Thanks all! 