Logtrail error

Hello,

I take this error in Kibana :

Error! Exception while fetching hosts : beat.hostname field not of type keyword or keyword mapping does not exist.

I have this configuration in logtrail.json:

{
  "version" : 1,
  "index_patterns" : [
    {
      "es": {
        "default_index": "filebeat-*"
      },
      "tail_interval_in_seconds": 10,
      "es_index_time_offset_in_seconds": 0,
      "display_timezone": "local",
      "display_timestamp_format": "MMM DD HH:mm:ss",
      "max_buckets": 500,
      "default_time_range_in_days" : 0,
      "max_hosts": 100,
      "max_events_to_keep_in_viewer": 5000,
      "fields" : {
        "mapping" : {
            "timestamp" : "@timestamp",
            "hostname" : "beat.hostname",
            "program": "source",
            "message": "message"
        },
        "message_format": "{{{source}}} {{{message}}}"
      },
      "color_mapping" : {
      }
    }
  ]
}

All is at the newest version.
How to resolve this problem ?

It sounds like logtrail's expecting the mapping in elasticsearch for beat.hostname to be keyword. By default this should be the case if the filebeat template is used, so that may be worth looking into. If you're fine with the mappings you can probably swap beat.hostname with beat.hostname.keyword.

Where can I swap the beat.hostname with beat.hostname.keyword?
I don't understand exactly how resolve the problem

Hey flochon, at

It you're curious you can dig into string types at Field data types | Elasticsearch Guide [8.11] | Elastic. If the field is mapped as text it'll be analyzed, basically split on certain characters for full text search. Usually when you're doing a terms agg you want to bucket by the full phrase (hence keyword, in this case would be the full hostname).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.