Hi Team!
We have a custom App and are trying define some Log Pattern based on some custom messages. At our Demo App where we type and submit any kind of test message, Filebeat outputs to ES and message appears at message field.
However, when I try create some Visualization and use the "message" field over Terms, is not available.
What Can I do to have the message string show up as a valid field to create Visualizations on Kibana?
We are testing this at Openshift 4.x ( OCP on-preminse ) and deploying filebeat as daemonset.
Example of custom messages a Application can generate.
"App01 - WebServer is starting"
"App01 - WebServer is up and running"
"App01 - WebServer is scaling 2 pods"
"App02 - Database is will be restarted in 5 minutes"
"App02 - Database is up and running"
"App02 - Database is refreshing tables"
The message field is an analyzed text field. If you want to do aggregations on the field then you should copy the data over to a different field that will be a keyword data type. keyword fields are supported in aggregations.
Based on those samples I'd recommend to use the dissect processor to split it up. It looks like the first part is a service.name and the second part could be a service.status. As an example:
Many thanks Andrew! It was very didactic!
To start I have used the copy_fields. Next step will check how App. Owner wish define it Pattern Log. Again very appreciated your help! Mauricio
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.