Why i cant see the “show top values” for the message field.
Also if i need to access this message field in the notification. how will it be
${message} OR
${event.message}
In both of the above cases its coming out as empty. Even though i can see the events coming in on the stream under “ALL MESSAGES”
Just to note im using file beat here.
Hey @ghaffar3
Could you explain in more detail whats going on?
So for your first question you cannot aggregate on the message field, it’s a special field, and due to that fact that it’s optimized for searching it’s not possible to aggregate. Specifically it’s analyzed, which lets it function for things you would expect with full text search, you can read the details here if you really want to know all the details Analysis and Analyzers | Elasticsearch: The Definitive Guide [2.x] | Elastic
For your purpose, if you really need to be able to do a show top values on these, you would need to copy the values to another field when it’s ingested, and then aggregate that field.
