for example: source: "/var/log/containers/greyhound-segment*.log", using kibana 4.
Anyone is experiencing the same frustrating issue>?
I also noticed this error on the Kibana page
This field is present in your elasticsearch mapping but not in any documents in the search results. You may still be able to visualize or search on it.
Does it relate to the issue ?
Hi Nanshan,
If you are on the Discover tab and you only have * in the query bar, then you get results?
And on the left panel in Discover you have a field named "source" in the field list?
If you check on the Settings tab, click on your index pattern, and then it will show the list of fields. You can type source in the filter bar to more quickly find the field if there's a lot.
Do you see a field named _source and one named source?
And if you do have one named source is it analyzed and indexed or just indexed?
If you only have _source shown, then you would just put /var/log/containers/greyhound-segment*.log in the query bar (not the source: part and no double-quotes).
If you do have a source field and it's analyzed, it would have split that log file path into individual fields on the slashes. So in that case you could try searching for source: /var/log/containers/greyhound-segment*.log it will return every doc where source contains var or log or containers or greyhound-segment*.log.
If you really need to search on the full path, you would need an unanalyzed field like source.raw (maybe you saw that in your field list for this index?).
Here's a link to a page that explains it very well;
Regards,
Lee
Thanks for explaining, Lee.
I noticed if I search `source: "/var/log/containers/greyhound-segment*" , it can work
I am wondering what is wrong by adding .log at the end
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.