Visualisation: trying to unique count a field with a "-" in it, not working

Hi,

I am trying to count unique log streams, and the format of the value is "i-123abc456".
When I do the unique count, it counts the "i" as one value, so it is adding 1 to my unique count.

i.e. if I had a legend, we would have:
i
123abc456

If there were two log streams, "i-123abc456" and "i-789def101", then the count would be three and the legend would be:
i
123abc456
789def101

Do you know what I can do to fix this pls?

Thanks,

Its because the field is analysed ... change the field mapping to not_analyzed or add a not_analyzed sub field to it that you can reference for this use.

Hi,

I am using the managed version of Elastic + Kibana with AWS. So do you know if it is still possible to do this through that platform?

I have no experience with that - but I'm almost 100% sure you should be able to.
This is a basic and almost always required feature.

How are you loading your data into elasticsearch ?
You usually put the index mapping through the same REST api that you would use to query elasticsearch directly ...and I'm sure they must expose that to you.

If you have no experience with AWS then my answer to that will be a bit lost. But there is a service within AWS called Cloudwatch. Your application logs get saved there, when new logs are written to this location, a function triggers (lambda) to stream your logs to your elastic search domain.
There seems to be limited functionality when you set up this 'streaming' - the one option I can see which might help is "Subscription Filter Pattern" - quote: Specify the log event structure and any filter conditions to apply on your log data as it gets streamed to Amazon Elasticsearch Service.
But not sure how to use that yet.

Yeah - I'm sorry, cant help you there. But you might have better luck asking in the elasticsearch category about how to achieve not_alayzed field mapping in AWS sollution.

Good luck

Thanks!