Kibana dashboards and visualizations for auditd module do not use keyword fields for aggregation queries in my version 6.8.4. This is the case for latest upstream too though:
This led to dashboards not working properly since fielddata is disabled by default for text fields. I managed to make them work again, by editing the jsons and using keyword fields.
Is there a reason that upstream uses text fields for aggregation queries ? Does it make sense to send a PR for it?
Thank you,
Kostis
What specific fields are seeing indexed as text? Most things are keyword, but there are a few places where multi-fields have been used to index both as keyword and text.
Maybe you don't have the Auditbeat index template installed?
Ah yeah, that could be it, thanks! If Elasticsearch has already loaded documents,I guess I can load the template retroactively then, and Kibana will honor the new new template for new index documents? Is that right?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.