Nagios Support Forum

Just installed the trial version of log server and was able to get up to speed quite quickly. I've managed to get our firewall logs indexed (and have a filter to identify/index individual fields). The fields appear to be pulling through correctly (although some are NULL/blank, which is expected in the firewall's syslog stream).

I'm now trying to create a terms_stats panel but it does not seem to be working - it is blank. A normal terms panel + counts works fine.

Here are the settings:
And this is the output:

I tested this on my machine, and it works fine. I have a hunch about what might be going on here.

Please navigate to the field that you're using to display this information (Bytes Received) and tell me what is in the section I have highlighted: I am thinking that your 'Bytes Received' field may be composed of a string, meaning that it can't be totaled. Let me know if that's the case.

You are correct. It's showing up as a string.

Do I change this under the filter settings?

I managed to sort this out by adding the following to the filter:

mutate {
convert => [ 'Bytes Received','integer' ]
convert => [ 'Bytes Sent','integer' ]
convert => [ 'Bytes','integer' ]
}


One problem - I had to delete the existing index files before it would pick up the new field type, which right now isn't too bad since we're just evaluating. Is there a way to fix this in future (without deleting anything), like a re-index or something similar? I could not find anything in the GUI.

I'm happy to hear that you got this working.

One problem - I had to delete the existing index files before it would pick up the new field type, which right now isn't too bad since we're just evaluating. Is there a way to fix this in future (without deleting anything), like a re-index or something similar? I could not find anything in the GUI.

There are ways, but they are not ideal. The best approach is to triple-check and make sure that it's done right the first time. Elasticsearch doesn't have this functionality built-in because ultimately, it's a very difficult thing to do.

Some other methods:
You can create a new field, and leave the old one in place. If you have a field 'bytes sent' and it's currently a string, you could make it into an integer by changing the field to 'bytes sent firewall1'. After the field is generated, it will be assigned with the integer type. You will of course need to change your logstash configuration appropriately before generating the new field.

You can also attempt to change the mapping, as detailed here:
https://www.elastic.co/blog/changing-ma ... o-downtime