Changed Mapping but field is still Analyzed?

vikas_gopal · March 21, 2016, 8:31am

Hi Experts ,
Please clear my doubt , I had an index and "alertmsg" field had following mapping

"alertmsg": {"type": "string","analyzer":"analyzer_keyword"}

I was not happy the way kibana showing it in table as the whole string was separated into words, so I changed my mapping back to
"alertmsg": {"type":"string","index" : "not_analyzed","doc_values" : true}

I can still see this field as analyzed field not sure why , do I need re-indexing in this case . As per my understanding since i have changed mapping from analyzed to not_analyzed , so from now on this field will act as not_analyzed field and for old data it will remain analyzed ? Please correct me if I am wrong , because if this is the case it should implement , or I may be missing something ?

Thank
VG

vikas_gopal · March 21, 2016, 8:36am

ok , So I got this in the ES documents

We can update a mapping to add a new field, but we can’t change an existing field from analyzed to not_analyzed.

So I guess in my case solution is only re indexing ?

Thank
VG

dadoonet · March 21, 2016, 9:13am

You can also add a sub field named raw for example which is not_analyzed.

"title": {
    "type": "string",
    "fields": {
        "raw":   { "type": "string", "index": "not_analyzed" }
    }
}

New documents or updated documents will have this field. But older won't.
So probably reindexing is better here.

vikas_gopal · March 21, 2016, 9:23am

@dadoonet

Thanks for the quick response , I have another query . Is it possible to make a field full text search wih not_analyzed . Why I am asking this is when I create a field analyzed with standard tokenizer it cuts the whole string into words and that's look ugly in kibana table .

What I want is to show a complete sting **"malicious ips"*in the table row but full text search should be enable on that string so that I can search it like alertmsg:malicious.

Sorry to ask this in the same thread .

Thanks
VG

talk2cshah · March 21, 2016, 9:28am

@vikas_gopal you can copy the field in other field and mark it analyzed and so you can search in 1 field and display another.

Regards!

dadoonet · March 21, 2016, 9:37am

Searching in non_analyzed fields? Yes you can. But you will have to search the exact term.

For example, if you indexed: My CITY NaME, searching for CITY, my city name... won't work.

That's why using multi fields as I explained is interesting.

You still run your searches on city field but you run aggregations on city.raw.

vikas_gopal · March 21, 2016, 9:37am

Thanks Chirag ,

But how it is achievable to search in 1 field and display another ?. Sorry I do not understand it.

vikas_gopal · March 21, 2016, 9:42am

I see what you guys are saying , thanks @David and @Chirag..