Hi! I've been testing the ELK Stack with rsyslog for a few weeks now to centralize Linux servers and Cisco/Juniper routers and switches logs.
Everything's going well so far, with the forum and the documentation I managed to solve every problem that's came up. But now I'm stuck, when trying to build graphics on the "Visualize" feature, for some reason the messages are splitted by white spaces. For example, if the log message is "Connection from x.x.x.x", I get three separated messages: "Connection" "from" "x.x.x.x". Graphs of course make no sense whatsoever.
This also happens with the hostname of the log sender, but I solved this using the .raw fileds.
After reading many posts, I came to the conclusion that the solution to this issue is setting up the "message" (or whatever other field) to "not_analyzed".
Thing is, I've been reading the documentation on mapping and using curl to update the values and making the message filed "not_analyzed", I've been also reading posts on the same issue from people using ELK for similar purposes, but I can't figure it out, I tried different queries but they either fail or don't change a thing.
Is this what I should be looking for o is there another way to work around this? Is there actually a way to switch the value for one field (from analyzed to not_analyzed) from the command line with curl queries or is there another way to go about it?
Thanks in advance