I have a field called fields.log_type which has three values- access, errors, dispatch. I want each value to be its own index on discover tab. Is it possible?
Time message fields.log_type
Jan 7, 2020 @ 11:11:33.281 <incidentid>24749056</incidentid> access
Jan 7, 2020 @ 11:11:33.139 Workflow.InIsDispatchPaused = true dispatch
@Mehak_Bhargava Thank you for your question. I'm not sure I understand exactly what you mean by each value to be its own index. Do you want each value (access, errors and dispatch) to be individual index patterns or do you want these to be columns in the Discover table?
If neither of these matches what you want, could you maybe provide an annotated screen shot of your desired result?
Thanks!
@cheiligers, thanks for responding! Sorry for the confusing statement but what I mean is that as shown below in screenshot, I want IncidentLogErrorIndex label to be created and then all values with field.log_type=errors shows up. And Hence make three such filters that separate out the results.
Right now I have to make it repeatedly since these are filters only. And when filter is for access logs, i have to delete the errors filter. So just it in a way where i click this custom label and required output is shown, similar to how fields function.
@Mehak_Bhargava, I think I understand now, thank you for the screen shot and the extra information. I'm not sure if you are aware of the extra options that filters give you. For example, you could create three filters, one for each of the different values of fields.log_type. To only have one of them active, you can temporarily disable the other two by clicking on the filter pills and selecting the Temporarily disable option. There are other options for filter pills too: https://www.elastic.co/guide/en/kibana/current/field-filter.html#filter-pinning.
@cheiligers, just applied that and it works.
But is there a better way to separate the logs result based on fields.log_type? I have been trying to make multiple index and even have a discussion page going on it but haven't been successful at it so thought this way of using filters, if not replicate but help with the purpose of multiple index.
@Mehak_Bhargava I would also have suggested dividing the index pattern up using Logstash and hopefully that will work eventually!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
