Field stored as "text" though it was mapped to "keyword"

hjazz6 · August 1, 2024, 1:31am

Hi,

I'm running Elasticsearch version 8.8.0, and I want to map source.as.organization.name and destination.as.organization.name as keyword fields. This is data sent to ES using Filebeat, that is automatically getting IP geoloc enriched.

The relevant portion of my index mapping is as follows.

"source": {
  "type": "object",
  "properties": {
    "as": {
      "type": "object",
      "properties": {
        "number": {
          "type": "integer"
        },
        "organization": {
          "properties": {
            "name": {
              "type": "keyword"
            }
          }
        }
      }
    },
    ...
"destination": {
  "type": "object",
  "properties": {
    "as": {
      "type": "object",
      "properties": {
        "number": {
          "type": "integer"
        },
        "organization": {
          "properties": {
            "name": {
              "type": "keyword"
            }
          }
        }
      }
    },
...

When I check the "Index Templates" page on Kibana, the mapping for both fields are displayed as Keyword. When I get the mapping of the current index via GET <index_name>/_mapping, I can see the exact configuration I set in the index template, i.e. keyword for both fields.

However, when I looked at the records on Discover, both fields are still displayed with the t icon next to it, indicating they are text fields. And this only just happened this morning (not yesterday when I modified the mapping), there is now a multi-field icon displayed on the Discover page for both as.organization.name fields. I don't think my configuration was making this field a multi-field ?

Why are the fields still stored as text fields, and how can I store them as keyword fields instead?

Thank you.

TimV · August 1, 2024, 5:06am

Is your data being stored in an Index or a Data-Stream?

hjazz6 · August 1, 2024, 5:37am

It's a data stream. Basically it's what Filebeat automatically created in ES. And the index template is set to "Yes" for "Data stream".

BTW, when I looked at Index Management -> Data Views on Kibana, I see both fields with the "Type" displayed as text, keyword . When I clicked the pencil icon, I see the greyed-out "Type" dropdown box as 'text'. Is this why the field is still showing up as text ?

Also, the index template is matching indices created before and after the change of mapping of the fields from text to keyword. My question is more of why the newest fields are not shown as keyword fields, as there is still the t icon (and multi-field shown next to the field name, even though they are mapped to keyword.

TimV · August 2, 2024, 6:16am

I assume that the older backing indices of the data stream were text, and the newer indices and keyword.

Kibana recognises that the same field has multiple types across different indices and displays it as such.

Topic		Replies	Views
Store field as text and keyword in 7.3 Elasticsearch	2	402	July 23, 2020
[ES 5.0] Mapping issues Elasticsearch	2	1021	December 8, 2016
Kibana 5.0 shows field type as string, not keyword: working as designed? Kibana	3	5306	December 26, 2016
Index Mapping -- Type: Text and Keyword vs Type: Keyword and Text Elasticsearch	1	889	August 16, 2018
Strings shown as Multifields Elasticsearch	1	213	October 28, 2021

Field stored as "text" though it was mapped to "keyword"

Related topics