Field set as not analyzed but kibana shows it as analyzed

Elastic Stack Elasticsearch
1

Index template :

{
  "template" : "index-*",
  "settings" : {
    "index.refresh_interval" : "10s"
  },
  "mappings" : {
    "_default_" : {
       "_all" : {"enabled" : true},
       "dynamic_templates" : [ {
         "string_fields" : {
           "match" : "*",
           "match_mapping_type" : "string",
           "mapping" : { "type" : "string", "index" : "analyzed", "omit_norms" : true }
         }
       } ],
       "properties" : {
         "@version": { "type": "string", "index": "not_analyzed" },
         "attribute_map.Machine": { "type": "string", "index": "not_analyzed" },
         "attribute_map.Service": { "type": "string", "index": "not_analyzed" },
         "attribute_map.Task": { "type": "string", "index": "not_analyzed" },
         "guid": { "type": "string", "index": "not_analyzed" },
         "system_info.cluster_id": { "type": "string", "index": "not_analyzed" },
         "system_info.cluster_name": { "type": "string", "index": "not_analyzed" },
         "system_info.release_name": { "type": "string", "index": "not_analyzed" },
         "geoip"  : {
           "type" : "object",
             "dynamic": true,
             "path": "full",
             "properties" : {
               "location" : { "type" : "geo_point" }
             }
         }
       }
    }
  }
}

But kibana is showing fields such as system_info.cluster_name as analyzed. Am I missing any step here?

  1. As some data already existed in the system.
  2. I delete all the indices
  3. Updated the mapping
  4. Repushed the data
    ( BTW is deleting old data necessary for the new mapping to take effect? )
2

Hi guys any update on this?

3

First of all, is system_info.cluster_id supposed to be a single field,

"system_info.cluster_id": "some value"

or a nested field:

"system_info": {
  "cluster_id": "some value",
  ...
}

In the former case you should reconsider since fields with dots aren't supported in ES 2.0. In the latter case you have the wrong syntax in your index template. Following the pattern of the geoip field.

General advice for index templates:

  • Have you verified that your index template has been picked up by ES (e.g. by using the get index template API)?
  • Have you verified with the get mapping API that the recreated index has the wrong mapping (i.e. that it's not something on the Kibana side that's wrong)?
  • Have you verified that there aren't any other index templates also matching index-* indexes?

BTW is deleting old data necessary for the new mapping to take effect?

You can't change existing mappings so an index needs to be recreated for new mappings to take effect.

Hi guys any update on this?

Please refrain from thread-bumping at least during weekends.

4

Thanks a lot Magnus. Yes it was a json field and i was assuming that the filed name was dot separated.

My bad shouldn't have done thread bumping over the weekend.

5

@prtkgaur same issue with me.Could you please let me know how have you sorted it out ?