I did this in Dev tools
PUT /filebeat
{
"mappings": {
"_doc": {
"properties": {
"message": {
"type": "keyword"
}
}
}
}
}
But still message field is not aggregatable
If my field is message , do you mean i should use message.doc_values
This is my painless script to extract last word from message:
String parts = /-/.split(doc['message'].value);
return parts[-1]
Can you please explain with example . I am very new to ES/kibana.
Thanks