Sending Extracted Fields to Kibana

sushmithak · July 8, 2015, 10:48am

Hi,

i have modified the logstash configuration file to extract some fields. The extracted fields are dispalying in logstash.stdout file but are not showing in kibana.

my configuration file is like this:

filter {
if [type] == "cloudera" {
grok {

  match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
  add_field => [ "received_at", "%{@timestamp}" ]
  add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
  match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
}

output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}
how to send these extracted fields from logstash to kibana?

warkolm · July 8, 2015, 10:51am

Which fields in particular?

sushmithak · July 8, 2015, 10:53am

Thanks for the reply.
I want to display the fields received_at and received_from in kibana.

warkolm · July 8, 2015, 10:55am

@timestamp is only generated when the doc is sent to Elasticsearch, so that add line won't work..

Are you seeing the received_from field in stdout?

sushmithak · July 8, 2015, 10:59am

yes, i'm seeing received_from in stdout

here is my ouput:

warkolm · July 8, 2015, 11:09am

Then it'll be uploaded to ES and visible via KB.

Can you not see this in the documents under the Discover tab?

sushmithak · July 8, 2015, 11:13am

No,these fileds are not displaying under Discover tab.

Do i need to do any other changes to send these fields to kibana?

warkolm · July 8, 2015, 11:13am

Try refreshing your fields under the index settings?

sushmithak · July 8, 2015, 12:51pm

Thanks Mark Walkom,

Now,I'm getting extracted fields in Kibana.