Kibana is dividing the urls

Leooel · October 27, 2016, 12:05pm

Recently I created a grok to parse logs of Squid3, and all work normally to send all the data to elasticsearch.

I can see everything normally on discover part, but when I create a graphic visualization, to analize the urls requisitions, Kiana is dividing the urls.

EX: "443", "wp", "www86", "rf", "ss", and more things like that

LeeDr · October 27, 2016, 4:43pm

Hi Leonardo,

You're using an analyzed field in your visualization. Strings like your URL that are sent to the standard analyzer are separated into terms by punctuation marks like the .s in your URLs. Depending on how you are getting your logs into Elasticsearch you could have both an analyzed and not analyzed (or raw) field, and in this case you would want that field. Discover tab in Kibana doesn't show these fields, but they should be available in Visualizations if you have the fields. If you don't have the field, you would need to modify the mapping in Elasticsearch to store it in your index. If you're using Logstash to get the logs into Elasticsearch you could look at that documentation.

Here's one reference How to query the stored, un-analyzed, form of an analyzed field?

If that one's not clear, search around for "not analyzed" or "raw" and you should find lots of examples.

Regards,
Lee

LeeDr · October 27, 2016, 5:20pm

Here's another related thread;

Leooel · October 28, 2016, 3:59pm

Hii Lee,

This is the output parsed to elasticsearch:

{
"message" => "12.12.12.12 - - [21/Oct/2016:13:56:00 -0300] "CONNECT some.site.com HTTP/1.1" 503 0 TCP_MISS:HIER_NONE",
"@timestamp" => "2016-10-28T11:03:54.191Z",
"source" => "/var/log/access.log",
"offset" => 148843,
"host" => "logs",
"IP" => "12.12.12.12",
"ident" => "-",
"auth" => "-",
"Data" => "21/Oct/2016:13:56:00 -0300",
"Metodo" => "CONNECT",
"requisicao" => "some.site.com",
"httpversion" => "1.1",
"response" => "503",
"bytes" => "0",
"tcptype" => "TCP_MISS:HIER_NONE"
}

I tried theese thigs:

Change the field to raw
Change to not_analized
Change to not_analized + raw

And happen the following:

When raw, the URL is divided

When not_analized, don't appear the field of URL on graphic

When not_analized + raw, don't appear the field of URL on graphic

When indexed: false, don't appear the field of URL on graphic

I connect to the elasticsearch with dejavù app of chrome.

Here the schemma:

{
"title": "squid3",
"timeFieldName": "@timestamp",
"fields": "[{"name":"Metodo","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"host","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"bytes","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"_source","type":"_source","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"IP","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"_index","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"requisicao","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"message","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"response","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"httpversion","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"@timestamp","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"Data","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"source","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"ident","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"tcptype","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"offset","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"auth","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"_id","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"_type","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"_score","type":"number","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false}]"
}
CTRL+F field of URL = requisicao
||
V

{"name":"requisicao","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},

The fields changed: requisicao to requisicao.raw
indexed:true to indexed:false
analyzed:true to analyzed:false

Did I made something wrong?

Topic		Replies	Views
Regex query in search field of kibana dashboard Kibana	17	6262	June 7, 2017
Logstash doesn't parse message into separate parts Logstash	5	8	November 3, 2024
How to analyse nested fields? Kibana	2	2753	March 23, 2023
How to configure different indexes in logstash Logstash	4	965	October 14, 2020
How do I extract a part of a string in the message field in Kibana and then plot it on graph? Kibana	11	60900	September 19, 2017

Kibana is dividing the urls

Related Topics