Visualize "unkown" data fields

sbeee · February 6, 2018, 4:21pm

hi guys,

i've installed the syslog_pri plugin to display syslog facility & severity. i also added a field for translation of severity numbers into strings like critical, warning etc.. this field is called "severity".

this all works as expected and will show up in kibana/discover.

now i want to visualize the count of severity labels (how many criticals, warnings etc. for a given time period).

my problem is...i can't visualize these new data fields because they fail to appear in the list of "terms" or "significant terms".

the reason for that could be the "unknown" data field type status!??! how can i change that?

thomasneirynck · February 7, 2018, 7:56pm

hi @sbeee,

Not 100% sure what's going on, also not too familiar with logstash.

But this seems more like a logstash issue (?). All fields should be mapped with a known data-type.

What is the mapping of that index? It should show something like "type": "keyword" before it can be used in aggregations.

sbeee · February 8, 2018, 9:08am

I've found the "issue". The trick is to refresh the index pattern manually via Management > Kibana > Index Patterns > "Refresh field list"

The new data fields are now tagged as string etc. and can be used in the visualization module.

system · March 8, 2018, 9:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.