Elasticsearch: Support to show more columns than message and log level when visualizing logs in explore

[suikast42]

Is it possible to add a config filed for Elasticsteach log fields so that the explore view show only that fields of an index ?

[marefr]

You can configure a message and a log level field in datasource settings, see https://grafana.com/docs/features/datasources/elasticsearch/#logs-beta for reference. Isn't this enough?

[Theoooooo]

But it would be pretty good if you can choose multiples fields to being displayed along the message_field_name option. This way, you can pre-configure explore web page with specific fields for better exploring purpose like this request feature i did #18316 instead of creating a dashboard with variables, tables ... (the ghetto way for me because the explore page is pretty good and compact for displaying lots of informations compare to tables.)

I also notice that, while setting the level_field_name, i'm still only getting gray color among the logs if the value is equal or greater than 3. It would be great if we can customise the color for each level_field_name value available in the indice like green between 1 and 3, orange for 4,5,6 and red for above.

[marefr]

@Theoooooo Re-labeled and changed title of this issue to reflect a feature request.

Regarding level, it currently only support textual levels, see https://github.com/grafana/grafana/blob/master/packages/grafana-data/src/types/logs.ts#L8-L24. Suggest opening a separate feature request for than one.

[ml-cms]

Also host, program and facility fields would be great to support syslogs from multiple sources.

[missyoyo]

You can configure a message and a log level field in datasource settings, see https://grafana.com/docs/features/datasources/elasticsearch/#logs-beta for reference. Isn't this enough?

HI, I'm try use "Message field name" in datasource config,but it seems only support one filed,I try "Message field name=filed1" it seems works
but when I try "Message field name=filed1,filed2,fild3",I only get null when explore

[strowi]

In general it would be very convenient to be able to configure the "message field name" in the query instead of the datasource.
E.g. having nginx-logs parsed and split into http-statuscode, geo, url, ... fields, there is no way to display multiple of these in one grafana panel (pls correct me if i'm wrong).

[detailyang]

@marefr message and level field are not enough sometimes. For example, the hostname field is always useful

[gabor]

to do this with elastic requires support for visualizing multiple fields in the logs visualization, so this is related: #42315

also, another similar request, for cloudwatch: #48776

[gabor]

in explore-mode, you can open log lines and use the eye icon to replace the logLine with the value of the field.
i understand that currently it's not possible to use the eye icon in panels, so perhaps that should be implemented (this is trickier, because i assume you want grafana to "remember" which fields you chose)

[gelicia]

Hello, as you may have heard, we are transitioning away from using discussions to discuss feature requests. We are migrating this discussion to an issue and closing the discussion. The issue is #82942. Feel free to continue the discussion around this there. Thank you!