Hello Guys,
I am getting two message fields in Kibana. The one with the Parsed message and other one is the unparsed with complete log in the message field
how can i remove unparsed message field.
Thank You
Nitin
how can i remove unparsed message field.
This seems like an elasticsearch mapping problem. Could you query elasticsearch for the mapping and copy and paste the response here?
@lukas Thanks for the reply,
Here is the response of elasticsearch mapping query:
{
"intelmule2-2016.10.19" : {
"mappings" : {
"default" : {
"_all" : {
"enabled" : true,
"omit_norms" : true
},
"dynamic_templates" : [ {
"template1" : {
"mapping" : {
"ignore_above" : 1024,
"index" : "not_analyzed",
"type" : "{dynamic_type}",
"doc_values" : true
},
"match" : ""
}
} ],
"properties" : {
"@timestamp" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
},
"offset" : {
"type" : "long"
},
"tstamp" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
}
}
},
"intelmule" : {
"_all" : {
"enabled" : true,
"omit_norms" : true
},
"dynamic_templates" : [ {
"template1" : {
"mapping" : {
"ignore_above" : 1024,
"index" : "not_analyzed",
"type" : "{dynamic_type}",
"doc_values" : true
},
"match" : ""
}
} ],
"properties" : {
"@timestamp" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
},
"@version" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"Manager" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"Runner" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"Severity" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"beat" : {
"properties" : {
"hostname" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"name" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
}
}
},
"count" : {
"type" : "long"
},
"host" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"input_type" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"message" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"messsage" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"offset" : {
"type" : "long"
},
"source" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"tags" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"timestamp" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
},
"tstamp" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
},
"type" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 1024
}
}
}
}
}
}
Sorry..guys its a stupid mistake....Both the message fields are different. first message field has Extra s in it and the other one is the normal one.
Sorry Again.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.