Hi I have a field loglevel which has values DEBUG,INFO,ERROR etc and all these 3 values for loglevel are showing up in Discover tab when i search using query loglevel: DEBUG | INFO | ERROR , but when i am creating visualization using term loglevel , only DEBUG and INFO are showing up for the same search interval . Please suggest where i am missing .
This is the mapping i have defined for loglevel :
"loglevel" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fielddata" : {
"format" : "disabled"
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
Hi team any updates?
It sounds like the there is only data containing DEBUG and INFO for the selected timespan. Try expanding the timespan and verifying there is data containing loglevel:ERROR
I checked the same logs for same timespan and there were ERROR logs showed up in discover tab.