Hi I'm having a problem with shipping a log to elasticsearch. I have the config setup to use (?.{64}) when the field has /carbon/admin/login.jsp it's separating every slash. How can I get it to keep the slashes in the same field?
It's very hard to understand what you're asking. Please supply your configuration, an example of what your event looks like, and what you'd like it to look like instead.
Sorry it looks like this issue that I'm having is related to the mappings. I have a field called name that looks like this in Discover "Name:GET /carbon/metrics-view" which is how it should be. However, when I try to visualize this field it breaks it up like "GET" "carbon" "metrics" "view". I tried switching to raw but there is no raw option for the field. I'm running logstash 2.3.4, Kibana 4.6.1. My logstash conf is
input {
file {
path => ["C:/Program Files (x86)/Jenkins/jobs//builds//log"]
start_position => "beginning"
sincedb_path => "nul"
}
}
filter {
grok {
match => ["message", "(?.{64})(?.{10})(?.{13})(?.{8})(?.{8})(?.{8})(?.{9})(?<req\s>.{5})"]
}
mutate {
strip => ["Name", "reqs", "fails", "Avg", "Min", "Max", "Median", "req\s"]
convert => ["reqs", "integer"]
convert => ["fails", "integer"]
convert => ["Avg", "integer"]
convert => ["Min", "integer"]
convert => ["Max", "integer"]
convert => ["Median", "integer"]
convert => ["req\s", "integer"]
}
}Yes, this is indeed mapping-related. The field in question in analyzed, but you don't want that when you're doing term aggregations. Use an index template to set the field in question to not_analyzed.
A wild guess as to why you don't have a .raw subfield is because you're calling your indexes something else than logstash-. The index template that Logstash installs by default only applies to logstash- indexes.