Aggregating a list of http log paths in kibana

Question

I have a nginx->fluentd->elasticsearch->kibana stack up and running. Trying to figure if I can do something like a "terms" panel but with a path string component from logs. Using a terms panel directly on that results in top used words from paths, e.g. for drupal it shows "node" as the most popular, which is quite useless without actual node id.

Is that something that is possible to do with elasticsearch?

Update: Here's a sample of my logs:

"path": "/node/123"
"path": "/node/456"
"path": "/user/create"

If I add a "terms" panel for "path" field, I get columns for "node", "user", "create", which make no statistical sense. What I need is a terms panel that aggregates on unique field values, not unique word parts of the field.

score 1 · Accepted Answer · edited May 23 '17 at 10:25

1

You need to configure Elasticsearch's mapping for setting your "path" field as a "not_analyzed" one. The default setting is "analyzed" and by default, ES parses the string fields and divide them in multiple tokens when possible, which is probably what happened in your case. See this related question.

As for how to configure Elasticsearch's mapping, I am also still digging, having a similar problem myself with multi-token strings I want to be able to sort on. It seems like there would be a put mapping API or the possibility of using config files, see here.

edited May 23 '17 at 10:25

Community

1
1

answered Jun 20 '14 at 15:11

Aldian

2,592
2
27
39

Updated my question with details. – Farcaller Jun 20 '14 at 22:45

Aggregating a list of http log paths in kibana

1 Answers1

Linked