Kibana splitting fields with dots or spaces in them

sacasumo · September 22, 2016, 5:17pm

I'm stuck with an issue in the vizualisation page, where Kibana is splitting fileds which have a space or a dot between them. For example with a source hostname such as server.domain.local I get a count for server, another for domain and another for local. Not exactly sure why or how this is happening. The same goes for countries such as united states or united kingdom.

DigiAngel · September 22, 2016, 5:43pm

Per the Analyzed Field tooltip:

Careful! The field selected contains analyzed strings. Analyzed strings are highly unique and can use a lot of memory to visualize. Values such as foo-bar will be broken into foo and bar. See Mapping Types for more information on setting this field as not_analyzed

You'll have to change your mappings to not analyzed for that field. Check:

Create template
and here
Reindexing

Here was my process after installing the Sense plugin:

PUT /_template/bro_template
{
  "template": "bro-*",
    "order": 1,
    "mappings": {
      "_default_": {
      "dynamic_templates": [
        {
          "strings": { 
            "match_mapping_type": "string",
            "mapping": {
              "type": "string",
              "index": "not_analyzed"
                }
              }
            }
          ]
        },
        "bro_ts": {
          "properties": {
            "ts": {
              "type": "date",
              "format": "epoch_millis"
            }
          }
        },  
        "bro_orig_h": {
            "properties": {
            "id.orig_h": {
              "type": "ip"
            }
          }
        },
        "bro_resp_h": {
            "properties": {
              "id.resp_h": {
                "type": "ip"
              }
            }
        },
        "bro_assigned_ip": {
            "properties": {
              "assigned_ip": {
                "type": "ip"
              }
            }
        }
    }
}

after creating the index you have to create a new index and copy the data from the old index into it, which will pickup the new template when you do it:

PUT /bro-201609140900-1
POST /_reindex
{
  "source": {
    "index": "bro-201609140900"
  },
  "dest": {
    "index": "bro-201609140900-1"
  }
}
DELETE /bro-201609140900

If you're matching by pattern in your index setup, like I am with bro-*, then it really doesn't matter if you keep exact same name of the index or not. Hope that helps.

Note to devs: The above information took me almost two days to figure out. Maybe I'm just daft, but I HIGHLY recommend a FAQ or "Common Operations" section somewhere here:

Definitive Guide

Topics could include the process of creating a template, reindexing, etc. Maybe even a section on common things that people run into, like the above how to fix analyzed string fields and whatnot.