Group same errors on .keyword

Pietia · January 8, 2019, 10:27am

I'm trying to group same errors on kibana with elk stack
however when I visualise data by Error not all errors are there I'm visualising data on err_message.keyword field.

What I noticed is that long strings are not there where small strings are there and can be grouped fine.
Is there some limit on .keyword field type sometimes err_message have like 400 chars here and can't be visualised.

When I click on add missing and group other values I can see the Other and Missing values in err_message.keyword
Can you tell me how can I resolve this issue?

Nathan_Reese · January 9, 2019, 1:31am

What is the elasticsearch mapping for the field err_message.keyword? If elasticsearch created the field mapping by default then it will probably look something like the below and the keyword field is getting trimmed at 256 characters.

          "agent" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          }

Pietia · January 16, 2019, 2:57pm

Hi,
I wish to get only err_message.keyword having ignore_above equal to 200000 ,right now I'm using this is applied to every .keyword

Can anybody help me how to make it with only one err_message.keyword?

{
"tomcat-template": {
"order": 0,
"index_patterns": [
"tomcat*"
],
"settings": {},
"mappings": {
"doc": {
"dynamic_templates": [
{
"strings": {
"match_mapping_type": "string",
"mapping": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 200000
}
}
}
}
}
]
}
},
"aliases": {}
}
}

system · February 13, 2019, 2:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.