After upgrading and loading the new index file to elasticsearch, all data on dashboards are splitting and grouping by the the parts the field like query, path and so on.
did you apply the elasticsearch templates? Looks like these fields are set to analyzed, but should not. In kibana settings page you can check fields being analyzed or not (and data types)
I did applied the elastic templates from the packetbeat.template.json on it, but still nothing 
Is there anyway to do that add the field.raw for all string fields and keep the collected data ?
Thanks
the templates must be applied to elasticsearch before indexing. You cannot change the mapping retroactively.
Either drop you indexes or consider reindexing: https://www.elastic.co/guide/en/elasticsearch/guide/current/reindex.html
1 Like