How to make filed as aggregatable in Elastic search

Suvarna_S · May 11, 2021, 5:40am

Hi Team,

I am new to elastic search/kibana.
I have a field "exceptions". I want to make this field as aggregatable, so that I can use this field for my visualization dashboard to fetch the count of exceptions. Kindly help me to fix this.

Please find the mapping here:

{
  "rs-glsss" : {
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "corelationId" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "exceptions" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "host" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "hostName" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "level" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "logMessage" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "logger" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "serviceName" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "serviceNameByLog" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "statusCode" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "thread" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "timestamp" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        }
      }
    }
  }
}

Need help!

Christian_Dahlqvist · May 11, 2021, 5:48am

Aggregate on exceptions.keyword.

Suvarna_S · May 11, 2021, 5:48am

No.. for the field "exceptions"

Christian_Dahlqvist · May 11, 2021, 6:02am

That field has two mappings. The keyword subfield can be aggregated and has the same data.

Suvarna_S · May 11, 2021, 6:08am

Please help me to fix this.

Christian_Dahlqvist · May 11, 2021, 6:37am

I have given the solution. Try it. I would also recommend you read this part of the docs.

dadoonet · May 11, 2021, 7:01am

To answer your question;

You need to change the mapping and use a keyword type.

rsmith013 · May 12, 2021, 9:00am

The solution depends on whether you want search capability for the exceptions fields as well as aggregation capability.

If you want to use Elasticsearch's search capability then you should do as @Christian_Dahlqvist has said. Use exceptions.keyword as your aggregation field. As stated, this has the same data but has not been put through elastic's field analyzers and been tokenized.

This does not require a change to your mapping or a reindex of the data.
If you can change the mapping and re-index and will only want to use the value of the field as a whole, not in parts (i.e. full string matching) then changing the mapping for the field to a keyword type, as @dadoonet suggests, will have the same effect and aggregations can then be done on the exceptions field natively.

To be clear, there is no difference in the result of the aggregation between using exceptions.keyword and changing the field to type keyword and using exceptions in your aggregations, but it will change what else you can do with the field.

system · June 9, 2021, 9:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.