HI,
I have recently set up Elasticsearch, Logstash and Kibana.
My Logstash includes the useragent plugin and all that seems to be working fine.
My problem is when it comes to visualising the user agent the separate words in the os_name field are been split into separate sections on the chart. I am pretty sure that this is being caused by elasticsearch using each of the words as separate tokens but I am lost when it comes to making them be read as one token.
Can anyone help?
Thanks,
Joe
You need to modify the index template used so that the fields in question are not_analyzed.
Alternatively, you can aggregate on the .raw subfield that you probably have.
There is no raw field and that is how I have seen it being done everywhere else.
Is there any way of forcing that to be added in logstash? or is that an elasticsearch or kibana thing?
There is no raw field and that is how I have seen it being done everywhere else.
I'm guessing your index name doesn't start with "logstash-"?
Is there any way of forcing that to be added in logstash? or is that an elasticsearch or kibana thing?
It's an Elasticsearch thing, but done upon request from Logstash's default configuration and the index template it pushes to ES (and that template only matches indexes whose names match logstash-*).
Ah okay yeah. I have changed my index name to start with logstash-... and it all works great now.
Thank you for your help!
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.