Unable to Use Field Value to Filter in Dashboard

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
craigdowning
Posts: 2
Joined: Mon Jun 20, 2016 1:35 am

Unable to Use Field Value to Filter in Dashboard

Post by craigdowning »

I am developing Dashboard and have a field being populated with either " " , "+" or "#".
I can see the values set in the field in the correct column of the Dashboard "All Events" Panel.
When I click on a row with a field value of " " , "#" or "+" and then select the 'search' icon beside the field, to use that field value as an additional filter, all of the displayed rows of the "All Events" Panel disappear. Other fields with numeric and text values work however this does not.
Are these three characters special and need to be 'escaped' in some way?
What is the solution to this?

Following is the json definition of the Dashboard.
{
"title": "some Log",
"edit_type": "",
"services": {
"query": {
"list": {
"0": {
"query": "host:\"152.165.24.248\"",
"alias": "",
"color": "#4D89F9",
"id": 0,
"pin": false,
"type": "lucene",
"enable": true
}
},
"ids": [
0
]
},
"filter": {
"list": {
"0": {
"type": "time",
"field": "@timestamp",
"from": "now-1h",
"to": "now",
"mandate": "must",
"active": true,
"alias": "",
"id": 0
},
"1": {
"type": "field",
"field": "SourceModuleName",
"query": "\"app_process\"",
"mandate": "must",
"active": true,
"alias": "",
"id": 1
},
"2": {
"type": "field",
"field": "app_error_level",
"query": "\"+\"",
"mandate": "must",
"active": true,
"alias": "",
"id": 2
}
},
"ids": [
0,
1,
2
]
}
},
"rows": [
{
"title": "graph",
"height": "300px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"span": 12,
"editable": true,
"group": [
"default"
],
"type": "histogram",
"mode": "count",
"time_field": "@timestamp",
"value_field": null,
"auto_int": true,
"resolution": 100,
"interval": "30s",
"fill": 3,
"linewidth": 3,
"timezone": "browser",
"spyable": true,
"zoomlinks": true,
"bars": true,
"stack": true,
"points": false,
"lines": false,
"legend": true,
"x-axis": true,
"y-axis": true,
"percentage": false,
"interactive": true,
"queries": {
"mode": "all",
"ids": [
0
]
},
"title": "Events over time",
"intervals": [
"auto",
"1s",
"1m",
"5m",
"10m",
"30m",
"1h",
"3h",
"12h",
"1d",
"1w",
"1M",
"1y"
],
"options": true,
"tooltip": {
"value_type": "cumulative",
"query_as_alias": true
},
"scale": 1,
"y_format": "none",
"grid": {
"max": null,
"min": 0
},
"annotate": {
"enable": false,
"query": "*",
"size": 20,
"field": "_type",
"sort": [
"_score",
"desc"
]
},
"pointradius": 5,
"show_query": true,
"legend_counts": true,
"zerofill": true,
"derivative": false
}
],
"notice": false
},
{
"title": "Events",
"height": "350px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"title": "All events",
"error": false,
"span": 12,
"editable": true,
"group": [
"default"
],
"type": "table",
"size": 50,
"pages": 5,
"offset": 0,
"sort": [
"@timestamp",
"desc"
],
"style": {
"font-size": "9pt"
},
"overflow": "min-height",
"fields": [
"@timestamp",
"app_timestamp",
"SourceModuleName",
"app_module",
"app_message",
"app_error_level",
"app_hour",
"app_minute",
"app_process_id",
"app_mandant"
],
"localTime": true,
"timeField": "@timestamp",
"highlight": [
"*"
],
"sortable": true,
"header": true,
"paging": true,
"spyable": true,
"queries": {
"mode": "all",
"ids": [
0
]
},
"field_list": true,
"status": "Stable",
"trimFactor": 900,
"normTimes": true,
"all_fields": true
}
],
"notice": false
}
],
"editable": true,
"failover": false,
"index": {
"interval": "day",
"pattern": "[logstash-]YYYY.MM.DD",
"default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED",
"warm_fields": true
},
"style": "light",
"panel_hints": true,
"pulldowns": [
{
"type": "query",
"collapse": false,
"notice": false,
"query": "*",
"pinned": true,
"history": [
"host:\"52.65.201.248\"",
"*"
],
"remember": 10,
"enable": true
},
{
"type": "filtering",
"collapse": false,
"notice": true,
"enable": true
}
],
"nav": [
{
"type": "timepicker",
"collapse": false,
"notice": false,
"status": "Stable",
"time_options": [
"5m",
"15m",
"1h",
"2h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
],
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"timefield": "@timestamp",
"now": true,
"filter_id": 0,
"enable": true
}
],
"loader": {
"save_gist": false,
"save_elasticsearch": true,
"save_local": true,
"save_default": true,
"save_temp": true,
"save_temp_ttl_enable": true,
"save_temp_ttl": "30d",
"load_gist": true,
"load_elasticsearch": true,
"load_elasticsearch_size": 20,
"load_local": true,
"hide": false
},
"refresh": false,
"dash_type": "elasticsearch"
}
Last edited by craigdowning on Wed May 20, 2020 4:51 pm, edited 1 time in total.
Top
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Unable to Use Field Value to Filter in Dasdboard

Post by cdienger »

I've been able to reproduce and will file a bug with our dev team, but in the meantime you may want to try applying the filter below in the logstash config. It checks the field and stores the string "space", "pound", or "plus" depending on what character it finds. This will at least allow you to seach the fields.

Code: Select all

if [fieldname] == " "{ mutate { update => { "fieldname" => "space" } } }
if [fieldname] == "#"{ mutate { update => { "fieldname" => "pound" } } }
if [fieldname] == "+"{ mutate { update => { "fieldname" => "plus" } } }
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Top

Return to “Nagios Log Server”