I'm fairly new to ELK stack so most likely I'm just doing something dumb. I've failed to find suitable Google results hence this post.
I have an Index Template configured with mappings, and I create a fresh index and store some documents in it, but only some fields get mapped properly (e.g. rule_name
, message
) while Kibana shows the other fields (e.g. tags
, url
) as "unknown fields".
Data JSON
{
"_index": "logs-REMOVED.alerts",
"_id": "QkQGs4IBxLlR-_ZMQ9ul",
"_version": 1,
"_score": 0,
"_source": {
"rule_id": "e9876de0-1ec9-11ed-8477-7b5684a31dfa",
"rule_name": "Uptime Monitors (Networking)",
"alert_id": "unifi_controller__https_unifi_REMOVED_com_REMOVED",
"monitor_type": "http",
"tags": "networking",
"url": "https://unifi.REMOVED.com:8443",
"message": "Get \"https://unifi.REMOVED.com:8443\": x509: certificate has expired or is not yet valid: current time 2022-08-19T01:14:21+03:00 is after 2022-03-16T09:25:02Z",
"@timestamp": "2022-08-18T22:15:08.452Z"
},
"fields": {
"rule_id": [
"e9876de0-1ec9-11ed-8477-7b5684a31dfa"
],
"@timestamp": [
"2022-08-18T22:15:08.452Z"
],
"rule_name": [
"Uptime Monitors (Networking)"
],
"alert_id": [
"unifi_controller__https_unifi_REMOVED_com_8443_REMOVED"
],
"alert_id.keyword": [
"unifi_controller__https_unifi_REMOVED_com_8443_REMOVED"
],
"message": [
"Get \"https://unifi.REMOVED.com:8443\": x509: certificate has expired or is not yet valid: current time 2022-08-19T01:14:21+03:00 is after 2022-03-16T09:25:02Z"
],
"monitor_type": [
"http"
],
"url": [
"https://unifi.REMOVED.com:8443"
],
"tags": [
"networking"
]
}
}