Can't make text field aggregatable

titan_tm · December 30, 2021, 6:49am

Hello guys,
I'm currently facing with issue related to visualization and need help.

ELK gets syslogs from cisco routers via filebeat, it parses the logs fine, which is great and It also works great in discovery. However, the main field which is called "MESSAGE" is not aggregatable, unfortunately. The field is in text format to make it aggregatable it needs to be changed to keyword but I'm not sure. I've tried to change the type of the field but it is not possible in index pattern, I've changed the type in Legacy index templates, but nothing changed.

All I need is to add message table into dashboard.
Thank you in advance

FALEN · December 30, 2021, 7:19am

Greetings from the person whose words may not be true,

Your change on legacy index template will only apply if new indices created.
Reindex will work too

POST _reindex
{
"source": {
"index": "my-index-000001"
},
"dest": {
"index": "my-new-index-000001"
}
}

majagrubic · December 30, 2021, 7:40am

It is true that you cannot aggregate on the text field type. You should be able to add keyword type to your existing field (documentation). After reindexing, this new field will show up as aggregatable.

titan_tm · January 3, 2022, 6:20am

Greetings and Happy New Year!

I just removed the old indice and created new one. Now it works fine! Thank you!

system · January 31, 2022, 6:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.