[SOLVED] Visualize and raw field

axelfelix · May 9, 2016, 9:27am

Hi all,

I have a mapping like below:

"properties" : {
          "@source_host" : {
            "type" : "string",
            "analyzer" : "custom-analyzer",
            "fields" : {
              "raw" : {
                "type" : "string",
                "index" : "not_analyzed"
              }
            }
          }
...

When I make a search like below, it works:

curl -XGET localhost:9200/logstash-2016.05.09/_search?pretty -d'
{
"query": {
"match": { "@source_host": "test-20.corp"}
}
}'
{
  "took" : 22,
  "timed_out" : false,
  "_shards" : {
    "total" : 20,
    "successful" : 20,
    "failed" : 0
  },
  "hits" : {
    "total" : 13922,
    "max_score" : 2.8506393,
    "hits" : [ {
      "_index" : "logstash-2016.05.09",
      "_type" : "cisco_log",
      "_id" : "AVSUoghihtVrl161fIgd",
      "_score" : 2.8506393,
      "_source" : {
        "message" : "2016-05-09T10:21:05+02:00 10.126.14.209 notice 2016 May  9 10:21:05.189 CEST: %ETHPORT-5-SPEED: Interface port-channel1016, operational speed changed to 10 Gbps",
        "@version" : "1",
        "@timestamp" : "2016-05-09T08:21:05.189Z",
        "host" : "127.0.0.1:40990",
        "type" : "cisco-ios",
        "syslog_host_time" : "2016-05-09T10:21:05+02:00",
        "client" : "10.10.10.1",
        "severity" : "notice",
        "client_date" : "2016 May  9 10:21:05.189 CEST",
        "facility" : "ETHPORT",
        "int_severity" : "5",
        "mnemonic" : "SPEED",
        "short_message" : "Interface port-channel1016, operational speed changed to 10 Gbps",
        "tags" : [ "cisco_ios" ],
        "@source_host" : "test-20.corp"
      }

With the raw field, it's work too:

curl -XGET localhost:9200/logstash-2016.05.09/_search?pretty -d'
{
"query": {
"match": { "@source_host.raw": "test-20.corp"}
}
}'
{
  "took" : 5,
  "timed_out" : false,
  "_shards" : {
    "total" : 20,
    "successful" : 20,
    "failed" : 0
  },
  "hits" : {
    "total" : 1690,
    "max_score" : 5.078534,
    "hits" : [ {
      "_index" : "logstash-2016.05.09",
      "_type" : "test_log",
      "_id" : "AVSUoiExhtVrl161fI41",
      "_score" : 5.078534,
      "_source" : {
        "message" : "2016-05-09T10:22:37+02:00 10.126.14.209 notice 2016 May  9 10:22:37.296 CEST: %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface Ethernet150/1/16, operational Transmit Flow Control state changed to on",
        "@version" : "1",
        "@timestamp" : "2016-05-09T08:22:37.296Z",
        "host" : "127.0.0.1:40990",
        "type" : "cisco-ios",
        "syslog_host_time" : "2016-05-09T10:22:37+02:00",
        "client" : "10.10.10.1",
        "severity" : "notice",
        "client_date" : "2016 May  9 10:22:37.296 CEST",
        "facility" : "ETHPORT",
        "int_severity" : "5",
        "mnemonic" : "IF_TX_FLOW_CONTROL",
        "short_message" : "Interface Ethernet150/1/16, operational Transmit Flow Control state changed to on",
        "tags" : [ "test" ],
        "@source_host" : "test-20.corp"
      }

So I don't understand why I can't retrieve the "@source_host.raw field" in Visualize on Kibana.

Do you have any idea ?

Thanks,
Alex

tylersmalley · May 9, 2016, 6:54pm

Do you see the field in the settings for that index? If not, try refreshing the field list.

axelfelix · May 10, 2016, 11:49am

Thanks for your reply !

I had to re-configure the index pattern in Kibana settings. And now I can see the .raw field.

I have some mapping conflict now but I see my new field

Thanks again,
Alex