Logstash GROK Visualize

somerandomguy · September 7, 2016, 4:35am

Hi, I am using GROK to split out my log messages into fields.
Some message fields have multiple words as a result e.g. login authentication succeeded or login authentication failed.
When I go to Kibana, Discover, find the log and then on the left hand side pane expand the relivant field I can see them both one above the other l but when I click on visualise it creates 4 bar charts "authentication", "login", "succeeded" and "failed".

Have noticed I also have a warning message next to Visualize - 1 warning - This is an analyzed string field. Analyzed strings are highly unique and can use a lot of memory to visualize.....

Is there any way to fix up the GROK to keep the messages together.

In GROK I'm capturing this part as %{CISCO_REASON:login_authentication_response}.

magnusbaeck · September 7, 2016, 6:14am

This is unrelated to grok. The problem is that the field stored in Elasticsearch is analyzed. You should have a .raw subfield that you can use, or you can use an index template to change the field's configuration to not be analyzed.

somerandomguy · September 7, 2016, 6:26am

Thanks Magnus.
Got any good links with examples on how I can do this?

magnusbaeck · September 7, 2016, 7:37am

I don't have anything specific but index templates and how to mark fields as non-analyzed has been covered here many many times before and index templates in general is of course included in the ES documentation.