recently I upgrade my ELK stack from version 5 to version 6(.4).
My documents contains a field which is a JSON object and until now, the JSON's attributes were shown in Kibana's discovery UI as seperate fields (as shown in the following screenshot)
After the upgrade, the JSON object is not split into several fields but shown as a single object. I don't have a clue why this is happening.
The data is incoming via Logstash and it just parses a incoming String to a JSON object, like this:
json {
source => "message"
target => "message"
}
But this was not changed - so it was done like this before.
The mapping is also the same as before. Is there something like an option where I can specify Kibana's behavior in this case?
It's possible that you may have to refresh your index pattern fields in the management screen. If that doesn't work could you provide the mapping here so I can try to troubleshoot? Thanks!
The reason was, that my index-pattern matched an index which used a mapping where the "message" field was stored as an object(field) itself.
So there were these two mappings for the "message" field existing:
Due to this, Kibana grouped all fields starting with "message" together to an object.
Removing the "wrong" index and refreshing the fields of the index pattern solved the problem.
Now, the fields are shown seperatly, as shown in the screenshot of my question.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
