[SOLVED] Visualization shortens beats.name

jerrac · February 11, 2016, 11:02pm

I've loaded the example beats dashboards/searches/visualizations into Kibana. They are definitely working. Except that a lot of beat.name data is truncated/abbreviated.

This is only the Topbeat dashboard/etc. since I only have it and Filebeat running.

As in, pre-prod-example-01.example.tld becomes just example or pre or 01.

I see this in the legends of the System Load and Process Status visualizations. It also occurs in the beats.name column of the Servers visualization.

Is there a way to prevent that form happening? 01 is hardly useful when you multiple servers ending in -01. I'd rather have it wrap or something than what it is doing.

Thanks!

steffens · February 12, 2016, 12:59pm

Have you loaded applied the indexes to elasticsearch before installing the dashboards and before indexing data via beats?

jerrac · February 12, 2016, 4:55pm

I'm not entirely sure what you mean. I was indexing data from filebeat and topbeat before I installed the example dashboards.

I checked out the dashboard project, modified it to use my index name instead of topbeat, and then ran the load.sh script.

What does "applied the indexes" mean? I thought an index was similar to a database in sql.

steffens · February 16, 2016, 4:29pm

sorry, typo. I meant to write: have you applied the index templates as described in getting started guide before indexing any data?

jerrac · February 16, 2016, 5:25pm

I may have made a bad assumption. Topbeat is sending to Logstash, so I assumed Logstash would deal with the template aspect. Plus, since I'm not using an index of "topbeat", I didn't think those templates would apply.

I have read the elasticsearch docs on templates, but maybe I missed something...

steffens · February 17, 2016, 6:55am

Having a template is not mandatory in elasticsearch/logstash. If data is processed by logstash, you have to take care of the mappings in the generated index. Problem is the strings (which is default) are analyzed if not disabled by mapping. Templates can be used to specify a mapping to be used with newly created indexes.

jerrac · February 17, 2016, 4:46pm

Ah, so I need to take the topbeat template, and the logstash template, and merge them together.

Thanks for the help!

jerrac · February 18, 2016, 12:47am

And, after the index rolled over to the next day, it appears it is working the way I wanted. Thanks again!

For reference, this is the template I'm using on my 2.2.0 logstash indexer:

gist.github.com

https://gist.github.com/jerrac/c6b2ade878a2e1ffe4c9

template.json

    {
      "template" : "logstash-*",
      "settings" : {
        "index.refresh_interval" : "5s"
      },
      "mappings" : {
        "_default_" : {
          "_all" : {"enabled" : true, "omit_norms" : true},
          "dynamic_templates" : [ {
            "message_field" : {

This file has been truncated. show original

ruflin · February 18, 2016, 4:49pm

Glad to hear it worked. The template cannot be changed on existing indices but will be applied to new ones. That explains why it worked on the next day.

jerrac · February 18, 2016, 5:09pm

Yep, the docs are pretty clear on that.

Does discourse have a "mark solved" button, or should I just edit the title of my initial post?

ruflin · February 18, 2016, 5:28pm

I don't think so. There is a close option but I don't think that is what we want to do in case someone wants to comment in the future. Editing title is definitively an option.