Not able to create visualization

Hi All,

I have extracted certain fields from the message through the GROK pattern in logstash. And the fields are available in kibana after indexing. But I am not able to use those fields to create a visualization.

Could someone help me how can I make use of the fields I have extracted to create a visualization in Kibana.

Hi @premkumar
Have you refreshed the field list in the Index Pattern?
If you dont, in Kibana go to Management>Index Patterns>(select your index pattern)
And click the refresh button:

Hi @dgonzalezp,

Yes I have refreshed and I could see the fields extracted via GROK pattern in logstash. But still, not able to query the fields extracted.

For example, I have a field named Authentication status which has two types of values 200 & 400. I want to create a visualization based on the % of 200 & 400 or the count of 200 & 400 status codes.

But not able to query the fields based on the values.

Could be because the vaule is a string type and you need number type to make that visualization.
Im not sure but you can check that in the Index Pattern:

Example:

Captura.PNG1154×80 4.95 KB

On checking the field type, it is set to type as text. But it is set automatically while extracting via the GROK pattern.
Would you be able to shed light on setting the type while extracting the pattern?

Yes in Kibana management I could see it as String. But I did not set the data type while extracting it.
Is there a way to change it now or anyways to set the type while extracting?

Yes you can change the data type in the filter of Logstash.
For example I did it with "mutate" like this:

if "mem" in [message] {
grok {
match => [
"message",
"mem":(?<uso_memoria>([^"]*)),"
]
}
mutate {
convert => { "uso_memoria" => "integer" }
}
}

Got it. Thanks @dgonzalezp

You are welcome @premkumar if you could select the reply as the solution would be great.
Have a nice day.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.