Hi, I use logstash's syslog plugin to collect logs, searching elastic search and kibana for the same object gives different results in the _source field...
Elasticsearch version 1.4.0, Kibana 4.0.0-BETA2 When querying elasticsearch with curl I get: curl -XGET http://localhost:9200/logstash*/_search?pretty stml@riakcs:~/work/java/elasticsearch/data/stml_elasticsearch/nodes/0/indices$ curl -XGET 'http://localhost:9200/logstash*/_search?pretty&q=_id:AUoVYl3Ayvv7Nc0uRA6X' { "took" : 7, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "failed" : 0 }, "hits" : { "total" : 1, "max_score" : 1.0, "hits" : [ { "_index" : "logstash-2014.12.04", "_type" : "syslog", "_id" : "AUoVYl3Ayvv7Nc0uRA6X", "_score" : 1.0, "_source":{"message":"pam_authenticate: Authentication failure","@version":"1","@timestamp":"2014-12-04T12:59:35.000Z","type":"syslog","host":"0:0:0:0:0:0:0:1","priority":83,"timestamp":"Dec 4 13:59:35","logsource":"riakcs","program":"su","pid":"15292","severity":3,"facility":10,"facility_label":"security/authorization","severity_label":"Error"} } ] } } But in Kibana I get: @timestamp December 4th 2014, 13:59:35.000 @version 1 _id AUoVYl3Ayvv7Nc0uRA6X _index logstash-2014.12.04 _source {"message":"pam_authenticate: Authentication failure","@version":"1","@timestamp":"2014-12-04T12:59:35.000Z","type":"syslog","host":"0:0:0:0:0:0:0:1"} _type syslog host 0:0:0:0:0:0:0:1 message pam_authenticate: Authentication failure type syslog Missing a lot of fields in _source... I would have expected these views of the same field to be alike...have I misunderstood something -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/25a96d8d-6e51-4e48-8294-14bd9b52be34%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.