i have setup EFK stack in k8 cluster, created the index pattern, it crated an extra field with ".keyword" at the end, this field has aggregateable option enabled.
here is a screenshot of what I am seeing:
The difference between these fields is how they are indexed - the regular one is indexed as text, which means you can do a full text search on it (suitable for fields that contain lots of text, e.g. an article or a description of a product). The other one is indexed as keyword which means you can only search for the whole value of the field, not individual parts of it (suitable for fields with short values, like a transaction type or an id). This is the blog post explaining it in greater detail: https://www.elastic.co/blog/strings-are-dead-long-live-strings
The keyword field is aggregateable which means you can do things like terms aggregations on it.
If you only want to filter by the whole value of a field and do aggregations on it, you don't need the "text" indexed version of it. Having both fields is just the default mapping, you can specify an explicit mapping to just index the fields as keyword under the original field name: https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html#create-mapping
For more complex cases it might make sense to look into dynamic templates: https://www.elastic.co/guide/en/elasticsearch/reference/current/dynamic-templates.html#dynamic-templates
great explanation, thx!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
