Kibana is dividing the urls

Leooel · October 27, 2016, 12:05pm

Recently I created a grok to parse logs of Squid3, and all work normally to send all the data to elasticsearch.

I can see everything normally on discover part, but when I create a graphic visualization, to analize the urls requisitions, Kiana is dividing the urls.

EX: "443", "wp", "www86", "rf", "ss", and more things like that

LeeDr · October 27, 2016, 4:43pm

Hi Leonardo,

You're using an analyzed field in your visualization. Strings like your URL that are sent to the standard analyzer are separated into terms by punctuation marks like the .s in your URLs. Depending on how you are getting your logs into Elasticsearch you could have both an analyzed and not analyzed (or raw) field, and in this case you would want that field. Discover tab in Kibana doesn't show these fields, but they should be available in Visualizations if you have the fields. If you don't have the field, you would need to modify the mapping in Elasticsearch to store it in your index. If you're using Logstash to get the logs into Elasticsearch you could look at that documentation.

Here's one reference How to query the stored, un-analyzed, form of an analyzed field?

If that one's not clear, search around for "not analyzed" or "raw" and you should find lots of examples.

Regards,
Lee

LeeDr · October 27, 2016, 5:20pm

Here's another related thread;

Leooel · October 28, 2016, 3:59pm

Hii Lee,

This is the output parsed to elasticsearch:

{
"message" => "12.12.12.12 - - [21/Oct/2016:13:56:00 -0300] "CONNECT some.site.com HTTP/1.1" 503 0 TCP_MISS:HIER_NONE",
"@timestamp" => "2016-10-28T11:03:54.191Z",
"source" => "/var/log/access.log",
"offset" => 148843,
"host" => "logs",
"IP" => "12.12.12.12",
"ident" => "-",
"auth" => "-",
"Data" => "21/Oct/2016:13:56:00 -0300",
"Metodo" => "CONNECT",
"requisicao" => "some.site.com",
"httpversion" => "1.1",
"response" => "503",
"bytes" => "0",
"tcptype" => "TCP_MISS:HIER_NONE"
}

I tried theese thigs:

Change the field to raw
Change to not_analized
Change to not_analized + raw

And happen the following:

When raw, the URL is divided

When not_analized, don't appear the field of URL on graphic

When not_analized + raw, don't appear the field of URL on graphic

When indexed: false, don't appear the field of URL on graphic

I connect to the elasticsearch with dejavù app of chrome.

Here the schemma:

{
"title": "squid3",
"timeFieldName": "@timestamp",
"fields": "[{"name":"Metodo","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"host","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"bytes","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"_source","type":"_source","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"IP","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"_index","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"requisicao","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"message","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"response","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"httpversion","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"@timestamp","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"Data","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"source","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"ident","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"tcptype","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"offset","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"auth","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"_id","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"_type","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"_score","type":"number","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false}]"
}
CTRL+F field of URL = requisicao
||
V

{"name":"requisicao","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},

The fields changed: requisicao to requisicao.raw
indexed:true to indexed:false
analyzed:true to analyzed:false

Did I made something wrong?

Topic		Replies	Views
Visualize apache logs strange Kibana	5	1473	July 6, 2017
Why is Kibana splitting my fields Kibana	3	1043	July 6, 2017
Confused about how to use .raw fields and not analyze string fields Kibana	37	51284	July 6, 2017
Visualize not_analyzed sub field Kibana	3	705	March 27, 2017
Not_analyzed field being analyzed Elasticsearch	6	1066	July 5, 2017

Kibana is dividing the urls

Related topics