Field_name.keyword appended to fields after upgrading to 6.5.x

I've noticed that most (if not all) of my field_names have a .keyword appended to them after upgrading my Elastic Stack from 6.4.x to 6.5.x.

One thing that I've noticed is that when doing a unique count of a particular field, such as computer_name, some shards will fail and I will not get any results. However, when I use computer_name.keyword, I receive the desired results.

I'm wondering if this is normal behavior or not? I'll also note that I did not reload in the new index mapping over 6.4.x's mapping, so perhaps that's the issue?

It's the normal behavior since elasticsearch 6.0 (May be 5.0 as well.) when using the default dynamic mapping.

Got ya, and thanks for the quick reply.

So basically any field that is dynamically populated (not hard coded in the index mapping) will have the .keyword appended it during upgrades?

When I go from 6.5.x to 6.6.x, will that create a field_name.keyword.keyword? If so, I should probably start by creating a map for each field that's going to be in my indices.

Upgrades don't do that.
It's just happening to new fields.

If by upgrade, you meant reindex then that can happen indeed.

I'm not sure about what you did though.

Nope, I didn't mean reindex. I just did a normal rolling upgrade from 6.4.x to 6.5.x.

However, I think that's something I'll likely have to end up doing here in the next few days. Everything is fairly vanilla in my environment -- using Winlogbeat to collect events, feeding that into Logstash, and then indexing everything Logstash outputs to Elasticsearch.

Thanks for lending your knowledge!

I just did a normal rolling upgrade from 6.4.x to 6.5.x.

This should not happen on existing indices. May be you didn't notice the fields earlier?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.