I have setup filebeat/elastic/kibana to monitor my logs. In Kibana's discover page, if I hover the mouse over default fields (message, @timestamp etc), it shows + and - buttons for enabling "filter for value" and "filter out value" searches.
This feature which is very handy, however, does not work for custom fields. Specifically, I added a field call level and I would like to show only error messages. Is there a way to activate this UI feature in Kibana to work with custom fields as well?
Some kinds of fields do show up with the filter buttons. How did you add the call level field?
The log messages are in json, and one of the key is level and I decoded it using the filebeat's json module.
Ah, Okay, thanks for the reply.
Can you post your filebeat.yml (config)? Can you also post the mapping for the index where you have that custom field, so we can see what it looks like? I'm wondering if something about the way it's mapped affects whether it shows up as filterable.
Here is the config file for filebeat. I am basically mapping the fields from the json to the same field in fillebeat.
filebeat.prospectors:
- type: log
enabled: true
paths:
- /log/*.log
multiline.pattern: '^{'
multiline.negate: true
multiline.match: after
processors:
- decode_json_fields:
fields: ["timestamp", "message", "level"]
process_array: false
max_depth: 1
target: ""
overwrite_keys: trueThis topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.