Hi, i am new to elastic and really enjoy exploring elastic stack so far.
For the background, i still developing log normalization for my monitoring assets and classify them into specific event.category and specific event.kind.
Now i am struggling to find out the possible root cause of why there is duplicate value in event.category? i already make sure there is no miss typing (typo) in it.
Hope the community can answer my question, thanks.
Does any of those values has a space or other character that would not be visible in the UI in it?
Hi Christian,
appreciate your time to reply this.
Already double checked on logstash conf and filebeat pipeline, there is no space or other character in it.
A bit strange, when i filtered two "Audit" like below screenshot.
then filtered one by one, either first "Audit" and second "Audit" give the same result when i tried to populate the event.kind
Look at the raw JSON documents. Spaces are hard to spot in any other view.
Apreciate your time to review this, Christian.
You're correct, other guys miss spell with space added in another logstash.
Also already solved all the strange things in above.
thank you
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
