I am stuck with a strange issue. I have a field which contains the first 50 characters of an error log.
All values appear when i search for events via "Discover".
However, when trying to bucket by the field in a visual some values in this field are not being included. Any ideas why this might be? Could it be invalid characters?
If your field is indexed as keyword and the length of the content is longer than ignore_above, it will show up in Discover (because it uses the _source object), but it won't work in visualizations, because aggregations are done on the indexed values (and everything above ignore_above is not indexed).
Increasing the value in your mapping and re-ingesting existing data should fix the problem.
If this doesn't help, please share the mapping of your index here, maybe something else is going wrong.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.