Just installed the trial version of log server and was able to get up to speed quite quickly. I've managed to get our firewall logs indexed (and have a filter to identify/index individual fields). The fields appear to be pulling through correctly (although some are NULL/blank, which is expected in the firewall's syslog stream).
I'm now trying to create a terms_stats panel but it does not seem to be working - it is blank. A normal terms panel + counts works fine.
Here are the settings:
And this is the output:
Terms_stats panel blank
Terms_stats panel blank
You do not have the required permissions to view the files attached to this post.
Re: Terms_stats panel blank
I tested this on my machine, and it works fine. I have a hunch about what might be going on here.
Please navigate to the field that you're using to display this information (Bytes Received) and tell me what is in the section I have highlighted: I am thinking that your 'Bytes Received' field may be composed of a string, meaning that it can't be totaled. Let me know if that's the case.
Please navigate to the field that you're using to display this information (Bytes Received) and tell me what is in the section I have highlighted: I am thinking that your 'Bytes Received' field may be composed of a string, meaning that it can't be totaled. Let me know if that's the case.
You do not have the required permissions to view the files attached to this post.
Re: Terms_stats panel blank
You are correct. It's showing up as a string.
Do I change this under the filter settings?
Do I change this under the filter settings?
Re: Terms_stats panel blank
I managed to sort this out by adding the following to the filter:
mutate {
convert => [ 'Bytes Received','integer' ]
convert => [ 'Bytes Sent','integer' ]
convert => [ 'Bytes','integer' ]
}
One problem - I had to delete the existing index files before it would pick up the new field type, which right now isn't too bad since we're just evaluating. Is there a way to fix this in future (without deleting anything), like a re-index or something similar? I could not find anything in the GUI.
mutate {
convert => [ 'Bytes Received','integer' ]
convert => [ 'Bytes Sent','integer' ]
convert => [ 'Bytes','integer' ]
}
One problem - I had to delete the existing index files before it would pick up the new field type, which right now isn't too bad since we're just evaluating. Is there a way to fix this in future (without deleting anything), like a re-index or something similar? I could not find anything in the GUI.
Re: Terms_stats panel blank
I'm happy to hear that you got this working.
Some other methods:
You can create a new field, and leave the old one in place. If you have a field 'bytes sent' and it's currently a string, you could make it into an integer by changing the field to 'bytes sent firewall1'. After the field is generated, it will be assigned with the integer type. You will of course need to change your logstash configuration appropriately before generating the new field.
You can also attempt to change the mapping, as detailed here:
https://www.elastic.co/blog/changing-ma ... o-downtime
There are ways, but they are not ideal. The best approach is to triple-check and make sure that it's done right the first time. Elasticsearch doesn't have this functionality built-in because ultimately, it's a very difficult thing to do.One problem - I had to delete the existing index files before it would pick up the new field type, which right now isn't too bad since we're just evaluating. Is there a way to fix this in future (without deleting anything), like a re-index or something similar? I could not find anything in the GUI.
Some other methods:
You can create a new field, and leave the old one in place. If you have a field 'bytes sent' and it's currently a string, you could make it into an integer by changing the field to 'bytes sent firewall1'. After the field is generated, it will be assigned with the integer type. You will of course need to change your logstash configuration appropriately before generating the new field.
You can also attempt to change the mapping, as detailed here:
https://www.elastic.co/blog/changing-ma ... o-downtime