Hello, I have a Problem to find Documents in a Data Stream. Every Document has the fileds "received_from" With an Update from the Filebeats, the filed "host.hostname" was added. Bothe of the filds hold the same string, and thats the Servername.
If I now run a querry in Discover ore in the dev tools, I recieve no file for the querry, that searches for the "received_from" filed. But when I search for the "host.hostname" field I recieve multiple docs. All the docs do also contain the filed "received_from" field with the same string as in the "host.hostname" field.
The Mapping is was chacked, both fields are set as Keyword.
Also a Test was made with another Elastic Instance, where some Documents were placed in an index. The Index uses the same Mapping as the datastream. Also the querrys were coppied. In this case with both querries the documents were found.
I would be very happy to receive a few tips on how I can narrow down the error. Or perhaps someone has had the same problem and can tell me the solution.
Thank You
Felix