Hi,
I'm working on an aggregation of Queue statistics data. The data that I'm feeding in is from a log file that filebeat sends to and ingestion pipeline. The field queue, is a text field that comes in and gets assigned queue.raw for use in visualizations. I have created an aggregation script that builds a new index based on aggregating the queue data by hour, day, or whatever. However, that data when visualizing it shows up with queue.keyword.
I created an index alias so I can pull both the current and aggregate data together for a single visualization.
For example, I look at the MAX queue depth over time by queue. But the Aggregate uses queue.keyword and the real time data uses queue.raw. So how do I fix this so they will both have the same field suffix?
Thanks,
Tim