Haven't used Kibana in a while, but I've caught on to 4 pretty quickly. The thing I cannot figure out now is this problem with visualization.
Whenever I try to stack line charts by host (or split pie charts by host) I get a list of all the hosts then the domain is listed as an extra host with a count equal to the sum of all the individual hosts.
This effectively doubles the charts and throws them off.
When I look at the raw logs each host has its full fqdn as a hostname, so I'm not sure what's going on.
There are two images below, in both cases, the purple area is the domain all other sections are individual hosts.
I'm pretty sure there's an obvious answer here, but after searching for two hours I can't find it.
Update
I've found one log type that doesn't do this. When I visualize it the entire fqdn for each host shows up in the Legend.
All of the others split the hostname up from the domain. However I still can't figure out why this is happening.