Visualisation: Term, field not in list

Russell_Fulton · May 16, 2021, 8:50pm

I am trying to make a standard time on x axis stacked bar chart but when I try and split the bar the on a term the field I want to use is not listed.

here is a sample raw record (trimmed for brevity). Important fields are event_type (primary aggregation and rule_id the term I am trying to split the bar on.

@timestamp.  2021 05 17  @ 08:07:05 +12:00	
action blocked
dst_ip 104.21.28.12	
event_type FilteredWebsites_Event	
rule_id Blocked by internal blacklist
severity Warning

mapping for rule_id is keyword.

Visualisation filter is event_type : FilteredWebsites_Event

Screen Shot 2021-05-17 at 8.45.34 AM

and rule_id is not in the selection list.

Any ideas as to what is going on?

stephenb · May 16, 2021, 9:29pm

That typically means the field is not defined as a keyword

You said that you define it as a keyword so it's possible that the index pattern needs to be refreshed if you are on a version before 7.10 or so

Russell_Fulton · May 16, 2021, 10:24pm

Ah! I know what the issue is: the index is a datastream and i need to force it to rollover to get the revised mapping visible to kibana. BTW I could not find a way of forcing and index to rollover other than tweaking the ILM policy and remembering to remove the tweak once the rollover happens.

stephenb · May 19, 2021, 1:15am

@Russell_Fulton

Learned this today... The rollover API.... huh who knew, good ta have the back pocket, you wont need to mess with the ILM next time you want to do it.

POST /<rollover-target>/_rollover/

you can even dry run it!
POST /<rollover-target>/_rollover/?dry_run

Russell_Fulton · May 19, 2021, 1:43am

Doh! I am sure I looked at the rollover API at one stage and then forgot about !

Thanks!

system · June 16, 2021, 1:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.