Cannot search on field [log.original] since it is not indexed

Elastic Stack Elasticsearch
1

Hi --I am not sure how to diagnose this issue. My searching has offered no results.

When I try to refine my iptables query with > log.original: "ID=1234" I get the error:

failed to create query: Cannot search on field [log.original] since it is not indexed.

I am surprised to find this error because the log.original field has the 't' icon which I understood meant it is indexed. Either way, can you please help me determine if this is or is not indexed, and if not, how can I achieve that?

image
image963×370 79.2 KB

2

Check index mapping first. What it says by
GET /your-index/?

3

Thanks. I did this in dev tools GET /filebeat-*/? and got 29, 138 lines! I am unable to find anything with log.original specifically. What should I be looking for?

4

What will happen if you specify a single index without wild card.

5

I have only these index. All of them give the same results with 29, 138 lines.

GET /filebeat-7.16.3-2022.01.23-000001/?
GET /filebeat-7.16.3/?
6

find "original" field in "log" field

7

Check you index _mapping;

GET /<index-name>/_mapping

and make sure your log.original fields index option is not set to false;

Mapping Index

1 Like
8

I think this is what you are requesting. At line 11643:


        "log" : {
          "properties" : {
            "file" : {
              "properties" : {
                "path" : {
                  "type" : "keyword",
                  "ignore_above" : 1024
                }
              }
            },
            "flags" : {
              "type" : "keyword",
              "ignore_above" : 1024
            },
            "level" : {
              "type" : "keyword",
              "ignore_above" : 1024
            },
            "logger" : {
              "type" : "keyword",
              "ignore_above" : 1024
            },
            "offset" : {
              "type" : "long"
            },
           "origin" : {
              "properties" : {
                "file" : {
                  "properties" : {
                    "line" : {
                      "type" : "long"
                    },
                    "name" : {
                      "type" : "keyword",
                      "ignore_above" : 1024
                    }
                  }
                },
                "function" : {
                  "type" : "keyword",
                  "ignore_above" : 1024
                }
              }
            },
            "original" : {
              "type" : "keyword",
              "index" : false,
              "doc_values" : false,
              "ignore_above" : 1024
            },
            "source" : {
              "properties" : {
                "address" : {
                  "type" : "keyword",
                  "ignore_above" : 1024
                }
              }
            },
9

This is the reason you got the error. The settings is set by you? If you want to query on the field, You have to ask those who maintenance the index.

10

This produced the same as what I pasted just now. If I understand this correctly the index option is false but how would I change that to true?

            "original" : {
              "type" : "keyword",
              "index" : false,
              "doc_values" : false,
              "ignore_above" : 1024
            },
11

It is only me. I must try to discover how to change the setting.

12

Though I don't remember if possible, try update mappings API.

If it doesn't work, you have to create new index with desired mappings and reindex to it.

14

I will try this later today. Thank you Tomo!

15

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.