for example:
source: "/var/log/containers/greyhound-segment*.log"
, using kibana 4.
Anyone is experiencing the same frustrating issue>?
I also noticed this error on the Kibana page
This field is present in your elasticsearch mapping but not in any documents in the search results. You may still be able to visualize or search on it.
Does it relate to the issue ?
Hi Nanshan,
If you are on the Discover tab and you only have
*
in the query bar, then you get results?
And on the left panel in Discover you have a field named "source" in the field list?
If you check on the Settings tab, click on your index pattern, and then it will show the list of fields. You can type
source
in the filter bar to more quickly find the field if there's a lot.
Do you see a field named
_source
and one named
source
?
And if you do have one named
source
is it
analyzed
and
indexed
or just
indexed
?
If you only have
_source
shown, then you would just put
/var/log/containers/greyhound-segment*.log
in the query bar (not the
source:
part and no double-quotes).
If you do have a
source
field and it's analyzed, it would have split that log file path into individual fields on the slashes. So in that case you could try searching for
source: /var/log/containers/greyhound-segment*.log
it will return every doc where source contains
var
or
log
or
containers
or
greyhound-segment*.log
.
If you really need to search on the full path, you would need an unanalyzed field like source.raw (maybe you saw that in your field list for this index?).
Here's a link to a page that explains it very well;
Tim Roes – 29 May 16
This tutorial explains how to write and understand Kibana and Elasticsearch queries
in depth and how the mapping of Elastichsearch influences these queries.
Thanks for explaining, Lee.
I noticed if I search `source: "/var/log/containers/greyhound-segment*" , it can work
I am wondering what is wrong by adding
.log
at the end
