Multi value parser, aggregation


(Jendamozna) #1

Hello, any idea how can i correctly display “quick values” for F5 ASM module violations:
Syslog message:
... violations="HTTP protocol compliance failed,System found unauthorized protocol" ...
Parser:
violations="%{DATA:violations}"
Default ES mapping:
violations = keyword

When field mapping changed to “text” and fielddata:true the aggregation does not make sense:
protocol: 2
http: 1…

I expect aggregation like this:
HTTP protocol compliance failed: 1
System found unauthorized protocol: 1

Can this be somehow solved with pipeline/array?


(system) #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.