Kibana: Term breaks my field value into multiple values.

Created on 14 Aug 2013 · 19Comments · Source: elastic/kibana

My field value looks like "UzC1qjJMt_afb-gjOewA:9". Term breaks it into three different values "UzC1qjJMt_afb", "gjOewA" and "9". It looks pretty consistent for all the field values. It sounds like an issue with term. Can somebody confirm it? Thanks.

Source

rightedges

Most helpful comment

@Darpan205
How do you solves in kibana 4(beta 3)?
I didn't find any way to add .raw. Did you add it in "Json input"?
Could you give me a sample?

Thanks.

greenapplepark on 12 Mar 2015

👍3

All 19 comments

I think it's more a question on analyzer.
If you have default analyzer for this field, then doing facet on it will show strange results.

You should modify your mapping. See http://www.elasticsearch.org/guide/reference/mapping/

dadoonet on 14 Aug 2013

Ah I'll look into that. Thanks!

rightedges on 14 Aug 2013

how should one change the mapping?

KlavsKlavsen on 4 Nov 2013

or rather - is there a default recommendation for logstash users?

KlavsKlavsen on 4 Nov 2013

Elasticsearch allows you to setup a default-mapping.json file in the
CONF_DIR. Below is the file I use for logstash version 1 and elasticsearch
0.90.x.

{
"_default_": {
"_all": { "enabled": false },
"_source": { "compress": true },
"properties" : {
"message" : { "type" : "string", "index" : "analyzed" },
"source_host" : { "type" : "string", "index" : "not_analyzed" },
"tags": { "type": "string", "index" : "not_analyzed" },
"@timestamp" : { "type" : "date", "index" : "not_analyzed" },
"type" : { "type" : "string", "index" : "not_analyzed" }
}
}
}

Curtis Ruck
Anytime: 210-857-1126

On Mon, Nov 4, 2013 at 6:28 AM, Klavs Klavsen [email protected]:

or rather - is there a default recommendation for logstash users?

—
Reply to this email directly or view it on GitHubhttps://github.com/elasticsearch/kibana/issues/364#issuecomment-27678861
.

ruckc on 4 Nov 2013

@ruckc Thank you very much.
one note. AFAIK source_host is actually just called host in v1 (logstash 1.2+).. so should it say host instead?

KlavsKlavsen on 4 Nov 2013

so - if I set my host to type string - then it will stop trying to split hostnames such as "server-pre01" into two?

KlavsKlavsen on 4 Nov 2013

No, the special juju is the 'not_analyzed'. Also, i use a custom pure-java
logstash replacement so i never fully switched to v1.

Curtis Ruck
Anytime: 210-857-1126

On Mon, Nov 4, 2013 at 9:23 AM, Klavs Klavsen [email protected]:

so - if I set my host to type string - then it will stop trying to split
hostnames such as "server-pre01" into two?

—
Reply to this email directly or view it on GitHubhttps://github.com/elasticsearch/kibana/issues/364#issuecomment-27687984
.

ruckc on 4 Nov 2013

Not sure if this is still an issue but you can use "{field_name}.raw" now to get the non-analyzed version of the value. For example, if your field name is "host" you can use "host.raw".

pobzeb-relevantidea on 25 Feb 2014

You can only use .raw if it is in your mapping. If you're a logstash user it usually will be.

rashidkpc on 25 Feb 2014

If you are not using Logstash to process your logs but and you still want to have the .raw mappings automatically created for you nightly indices, you can run the following commands:

curl -o template.json https://raw.github.com/elasticsearch/logstash/v1.3.3/lib/logstash/outputs/elasticsearch/elasticsearch-template.json
curl -XPUT http://localhost:9200/_template/logstash [email protected]

This will setup the dynamic mapping for the logstash-YYYY.MM.DD indices. Keep in mind that the .raw mappings will only be present for the new indices.

Logstash 1.3+ does this automatically.

simianhacker on 25 Feb 2014

Kibana users: for the Terms panel (e.g. pie graph) you can use my_field_name.raw. This should work out of the box. You don't need to set fields to not-analyzed. If you've customized your index names, just make sure they start with logstash-.