Kibana splits on hostname

If you’re playing with Kibana and you notice any Pie charts splitting values incorrectly, i.e. on a hostname with hyphen characters, then here’s the fix you need to apply. It’s actually something elasticsearch does…

curl -XPUT http://localhost:9200/_template/syslog -d '
{
	"template": "*syslog*",
	"settings" : {
					"number_of_shards" : 1
	},
	"mappings" :  {
					"file" : {
                              	"properties" : {
                                                	"host" : {
                                                              	"type" : "string",
                                                            	"index" : "not_analyzed"
                                                     }
                                                }
                                }
                }
}
'

This will instruct elasticsearch not to break the fieldname “host” into tokens for any index with “syslog” in the name. Note this will only apply to new indexes. You’ll need to delete all the current indexes and re-import your data if you need the backlog corrected too.


Leave a Reply