[Resolve] Field from logstash not indexed


(Rdesgrange) #1

Hi,

I have a setup where filebeat send log to logstash, that process it through grok parser and then send it to Elasticsearch. Classic.

I just add this line in my logstash configuration :

useragent {
   source => "http_user_agent"
   target => "useragent"
}

In Kibana I can see the data, but kibana say to me "This field is not indexed thus unavailable for visualisation and search"

I didn't have problem with other field ? with this field aren't indexed ? I have the geoip plugin and field are correctly indexed.

In advance thanks


(Alexander Reelsen) #2

Hey,

the useragent field usually contains some more sub fields. Is it possible that you havent specified a concrete one?

--Alex


(Rdesgrange) #3

what do you mean by concreate one.

I have several sub fields, like build, device, etc... but where do I need to specify these field in order to index it ?

The thing I don't understand is why geoip is indexed normaly (without any configuration) and not useragent.


(Rdesgrange) #4

Ok I refresh the kibana index in Settings/Indices, and it's now indexed.

Sorry, I though that the field wasn't index in elasticsearch :frowning:

Thanks for the help.


(system) #5