Description of problem:

When using Kibana from the EFK logging stack, the discover page shows log entries as I would expect. I've attached a screenshot to show how entries are displayed.

However when I select a field and press 'Visualize', I see the graph that is generated breaks down each entry for that field on word boundaries. I've attached an example screenshot for this as well.

Using the field 'kubernetes_pod_name' and value 'kibana-2-rp2xg' as an example, when I visualise this field I see that the x-axis shows 3 separate bars which are 'kibana', '2', and 'rp2xg', however I would expect to only see one bar with 'kibana-2-rp2xg' as the x-axis value.

I believe this is because elasticsearch analyses fields by default, but for openshift should be configured to treat any kubernetes_ fields, and possibly any field except for 'message', as not_analyzed.

The EFK logging stack bundled with openshift uses analysed fields. This means that all values get broken down on word boundaries, and as such the visualisations and dashboards in kibana are usually not usable.

Version-Release number of selected component (if applicable):

OpenShift Container Platform 3.3

How reproducible:

Reproduce in Kibana as mentioned above.

Actual results:

The view is divided.

Expected results:
The view should show the logs from pod as whole name.

Additional info: