Kibana3 - total of sc-btyes field

Elastic Stack Elasticsearch
1

Hi everyone,

I have a set of logs in ES from cloudfront. I have a field called sc-bytes,
I want the total from the btyes for a specific subset of data I filter. I
have tried the following.

Adding a histogram, setting "Chart Value" to "Total". Then setting the
"Value field" to "sc-bytes".

I get the following exception.

ClassCastException[org.elasticsearch.index.fielddata.plain.PagedBytesIndexFieldData
cannot be cast to org.elasticsearch.index.fielddata.IndexNumericFieldData]

I have doubel checked this as logstash is setting the value to Number for
the field sc-bytes. Does anyone know what is wrong here?

Regards

John

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/e7809e65-ba37-4821-a3db-63172f05ac2d%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

2

Hi Everyone,

Got a little further.

I made my query have this value.

sc-bytes:*

As the selected query.

from[-1],size[-1]: Parse Failure [Failed to parse source
[{"facets":{"0":{"date_histogram":{"key_field":"@timestamp","value_field":"sc-bytes","interval":"12h"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"sc-bytes:*"}},"filter":{"bool":{"must":[{"fquery":{"query":{"field":{"type":{"query":"cloudfront"}}},"_cache":true}},{"fquery":{"query":{"field":{"PLATFORM":{"query":""test_system""}}},"_cache":true}},{"range":{"@timestamp":{"from":1384772252771,"to":"now"}}},{"fquery":{"query":{"field":{"cs-uri-stem":{"query":"test"}}},"_cache":true}}]}}}}}}}},"size":0}]]]

I don't understand this error, can someone help me?

Regards

John

On Wednesday, 18 December 2013 10:46:48 UTC, Johnathan Phan wrote:

Hi everyone,

I have a set of logs in ES from cloudfront. I have a field called
sc-bytes, I want the total from the btyes for a specific subset of data I
filter. I have tried the following.

Adding a histogram, setting "Chart Value" to "Total". Then setting the
"Value field" to "sc-bytes".

I get the following exception.

ClassCastException[org.elasticsearch.index.fielddata.plain.PagedBytesIndexFieldData
cannot be cast to org.elasticsearch.index.fielddata.IndexNumericFieldData]

I have doubel checked this as logstash is setting the value to Number for
the field sc-bytes. Does anyone know what is wrong here?

Regards

John

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/89fbbcfe-0c3b-4513-b6de-b35ea50cd38f%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

3

Hi There,

This is the query the histogram is trying to run.

curl -XGET 'http://log-analysis.channel4.com:/logstash-2013.12.12,logstash-2013.12.11,logstash-2013.12.10,logstash-2013.12.09,logstash-2013.12.08,logstash-2013.12.07,logstash-2013.12.06,logstash-2013.12.05,logstash-2013.12.04,logstash-2013.12.03,logstash-2013.12.02,logstash-2013.12.01,logstash-2013.11.30,logstash-2013.11.29,logstash-2013.11.28,logstash-2013.11.27,logstash-2013.11.26,logstash-2013.11.25,logstash-2013.11.24,logstash-2013.11.23,logstash-2013.11.22,logstash-2013.11.21,logstash-2013.11.20,logstash-2013.11.19,logstash-2013.11.18/_search?pretty' -d '{
"facets": {
"0": {
"date_histogram": {
"key_field": "@timestamp",
"value_field": "sc-bytes",
"interval": "12h"
},
"global": true,
"facet_filter": {
"fquery": {
"query": {
"filtered": {
"query": {
"query_string": {
"query": "sc-bytes:*"
}
},
"filter": {
"bool": {
"must": [
{
"fquery": {
"query": {
"field": {
"type": {
"query": "cloudfront"
}
}
},
"_cache": true
}
},
{
"fquery": {
"query": {
"field": {
"PLATFORM": {
"query": ""test_system""
}
}
},
"_cache": true
}
},
{
"range": {
"@timestamp": {
"from": 1384772438978,
"to": "now"
}
}
},
{
"fquery": {
"query": {
"field": {
"cs-uri-stem": {
"query": "tt"
}
}
},
"_cache": true
}
}
]
}
}
}
}
}
}
}
},
"size": 0
}'

On Wednesday, 18 December 2013 10:46:48 UTC, Johnathan Phan wrote:

Hi everyone,

I have a set of logs in ES from cloudfront. I have a field called
sc-bytes, I want the total from the btyes for a specific subset of data I
filter. I have tried the following.

Adding a histogram, setting "Chart Value" to "Total". Then setting the
"Value field" to "sc-bytes".

I get the following exception.

ClassCastException[org.elasticsearch.index.fielddata.plain.PagedBytesIndexFieldData
cannot be cast to org.elasticsearch.index.fielddata.IndexNumericFieldData]

I have doubel checked this as logstash is setting the value to Number for
the field sc-bytes. Does anyone know what is wrong here?

Regards

John

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/d9772acc-5ee5-4479-a889-9d80c824f4ca%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.