CODEWITHSUNDEEP
logstashkibanakibana-4filebeat
isijara
isijara

Reputation: 155

Can't use parsed fields to visualize data on kibana

I'm new in this ELK stuff. I've been trying to create visualizations using this stack, but I'm not able to use fields such as verb, response, request, etc, I'm only able to select a few available fields:

However, in the Discover section I'm perfectly able to work with those fields. Here is a sample of one of my query results:

(I'm using Kibana 4.4.2, filebeat forwarding to logstash 2.2.3)

{
  "_index": "filebeat-2016.04.12",
  "_type": "apache_log",
  "_id": "AVQMoRFwO5HM5nz1lmXf",
  "_score": null,
  "_source": {
    "message": "187.142.15.173 - - [12/Apr/2016:16:39:23 -0600] \"GET /v1.0/person/297312123/client/1132347/profile HTTP/1.1\" 200 2051 \"-\" \"Android CEX 2.2.0\"",
    "@version": "1",
    "@timestamp": "2016-04-12T22:39:27.064Z",
    "beat": {
      "hostname": "myhost",
      "name": "myhost"
    },
    "count": 1,
    "fields": null,
    "input_type": "log",
    "offset": 30034512,
    "source": "/var/log/httpd/access_log",
    "type": "apache_log",
    "host": "myhost",
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "clientip": "187.142.15.173",
    "ident": "-",
    "auth": "-",
    "timestamp": "12/Apr/2016:16:39:23 -0600",
    "verb": "GET",
    "request": "/v1.0/person/297312123/client/1132347/profile",
    "httpversion": "1.1",
    "response": "200",
    "bytes": "2051",
    "referrer": "\"-\"",
    "agent": "\"Android CEX 2.2.0\"",
  },
  "fields": {
    "@timestamp": [
      1460500767064
    ]
  },
  "sort": [
    1460500767064
  ]
}

What could posibly be wrong with this?

Here is my config file:

   filter {
    if [type] == "syslog" {         
        grok {
            match => { "message" => 
              "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"
        }
        add_field => [ "received_at", "%{@timestamp}" ]
        add_field => [ "received_from", "%{host}" ]
    }

    syslog_pri { }

    date {
        match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
    if [type] == "apache_log" {

        grok {
        # match => [ "message", "%{COMBINEDAPACHELOG}" ]
            # match => { "message" => "%{COMBINEDAPACHELOG}" }
            # add_field => [ "received_at", "%{@timestamp}" ]
            # add_field => [ "received_from", "%{host}" ]
        match => [ "message", "%{COMBINEDAPACHELOG}" ]
        }

        #syslog_pri { }

        #date {
        #    match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        #}

  }
}

Thanks in advance!

Upvotes: 1

Views: 200

Answers (1)

Alain Collins
Alain Collins

Reputation: 16362

My first thought would be the kibana field cache. Go to Settings->Indexes, select your index, and click the orange Reload button.

Upvotes: 2

Related Questions