Lost .raw fields after creating custom index

Sameer_Dharur · March 15, 2016, 6:56am

I just created a custom index using the following config but I don't see the .raw fields anymore - which I need to carry out the desired visualizations. Could somebody please explain exactly what I need to do and how I should go about doing it? Thanks!

Here's my config -

I have modified my config to the following but still getting the same default date-based name for the index. Any suggestions?

input {
file {
path => "C:/ELK/logstash-2.2.2/sample.log"
type => "sample"
start_position => "beginning"
sincedb_path => "C:/ELK/logstash-2.2.2/dbfiles"

}
}

filter {
grok { match => { "message" => "%{DAY:day}\s%{MONTH:month}\s%{MONTHDAY:monthday}\s%{YEAR:year}\s%{TIME:time}\sGMT(?[+-]\d\d\d\d)\s([^)]+)\s%{NUMBER:temp}\s%{NUMBER:light}\s%{GREEDYDATA:room}"} }

}

output {

elasticsearch {

index => "templightlogs"

}

stdout{}

}

magnusbaeck · March 15, 2016, 7:18am

This is really a Logstash question that you might want to move to the Logstash category.

This is because the index template that ships with Logstash and is installed on the ES cluster by default only covers indexes whose names match logstash-*. You should make a copy of that template, adjust the index name pattern, and have your elasticsearch output use your template file instead.

Topic		Replies	Views
Raw field disappear Elasticsearch	6	1017	July 5, 2017
Raw fields missing Logstash	3	3051	July 6, 2017
Custom Index Name - Logstash Logstash	8	20203	July 6, 2017
No .raw field in kibana Logstash	4	2340	September 27, 2017
Confused about how to use .raw fields and not analyze string fields Kibana	37	51284	July 6, 2017

Lost .raw fields after creating custom index

Related topics