Hi,
I’m using the http_poller to pull some data from a site. The data arrives in JSON format and I have my filters, etc set up and all works as expected in the ELK stack. Looking in Kibaba I can see the data as expected.
However, when I try to render the same data in Grafana, I get mixed results as to whether it shows a text field. The layout of the index is shown below. The only fields with issues is the “summary” field.
{
"cve-last-30-2019.03.14": {
"aliases": {},
"mappings": {
"doc": {
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Modified": {
"type": "date"
},
"Published": {
"type": "date"
},
"cvss": {
"type": "float"
},
"cwe": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"last-modified": {
"type": "date"
},
"nist_link": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ranking": {
"properties": {
"circl": {
"type": "long"
}
}
},
"references": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"summary": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"tags": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"vulnerable_configuration": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"vulnerable_configuration_cpe_2_2": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"watch": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
},
"settings": {
"index": {
"refresh_interval": "5s",
"number_of_shards": "1",
"provided_name": "cve-last-30-2019.03.14",
"creation_date": "1552577501618",
"number_of_replicas": "2",
"uuid": "Uq_HRhBtSQesxIM0zyA2Zg",
"version": {
"created": "6020199"
}
}
}
}
}
Adding the “Missing” tag of “Cannot render Summary” in Grafana for the summary field to ensure it shows up to troubleshoot will result in this:
Take entry “CVE-2019-9752” as an example, you can see that the summary field isn’t generated for this entry. Searching for that same entry in Kibana produces the following:
If I wasn’t getting anything shown for all summary fields in Grafana, I would put it down to how the index was set up but that’s not the case so I’m at a loss to figure out why I don’t see anything.
Is there anything obvious I should be checking?