Hello ,
Please help me to understand how to create a Visualization for netflow.application_name .
I don't see this field in the list on adding a new Visualization
Thanks you for your help and support
Elena
Hi @Elena_Kaidrikov,
thanks for your question. Could you explain where exactly you expect your field to show up? If you create anew visualization you have to the select the index pattern you want to visualize first before configuring the actual chart.
Hi,
When I create a new visualization for the Source port (for example ),
I do the following steps :
- Create new Visualization
- select a visualization type ( Pie for example )
- choose a source ( netflow-* )
- Add Buckets :
-- Split slices
-- Aggregation : Terms
-- Field : netflow.src_port - run
But I can't create Visualization for the netflow.application_name, because the field 's list doesn't contain it.
If I open Discovery tab, I see the received netflow traffic with netflow.application_name
thanks you for your help
Hey, thanks for the additional info.
A terms aggregation can only be applied to fields either indexed as keyword or having field data enabled (see https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html). However if you are using the automatic mapping of Elasticsearch it should have created netflow.application_name.keyword for you which is the keyword-indexed version of netflow.application_name. Using this field in terms should yield the expected results.
Hi,
I am sorry.
I didn't understand how I do this.
I'm new to Kibana and I’m struggling on a -maybe- simple thing 
I don't see `netflow.application_name.keyword' in the list as well.
I succeded to create Timelion Visualization :
.es(index="netflow-", metric="sum:netflow.packets", split="netflow.application_name:30", kibana=true).scale_interval(1s).fit(mode=scale).if(operator="lt", if=0, then=0).trim(start=2,end=1).label(regex="^. netflow.application_name:(.+) > .*$", label="$1").lines(width=1, stack=true, fill=0).yaxis(label="packets / sec", min=0)
How can I create Pie Visualization?
Thanks
The field you want to use in a terms aggregation should be of type keyword (https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html) You can check by retrieving the mapping in the dev console: GET /netflow-*/_mapping. It should include:
"netflow.application_name": {
"type": "keyword"
}
By default, a string field is indexed as text and as keyword in a separate .keyword field, this is why I asked about this.
If it doesn't happen, the mapping has to be updated and existing data has to be-reindexed so application_name becomes a keyword field.
Thanks
I've added and everything is working
thanks you very much for your help and support
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.