I am confused with how keyword type work with aggregatable in Kibana

Ian_Huang · February 19, 2018, 2:32am

HI guys,

I am new to ELK stack. I am trying to understand how keyword type work with different setting. To test, I set following fields:

    "OS":     { "type": "text","fields":{
      "keyword":{
        "type":"keyword",
        "ignore_above":256
      }

    }},    
    "OS2":     { "type": "keyword",index: false  }, 
    "OS3":     { "type": "keyword",index: false,"ignore_above":256 }, 
    "OS4":     { "type": "keyword",index: true,"ignore_above":256 }, 
    "tt":     { "type": "keyword",index: true},

From management console in Kabana, I can see all fields above are aggregatable.

But only OS.keyword can return results as expected. The other fields always return zero results.

GET /logs3/visit3/_search?pretty
{
"aggs":{
"os2":{
"terms":{
"field": "OS2"
}
}
}
}

Can you help me to point what is correct way to set a non-indexed type but aggregatable field?

Possible values in fields are: Mac OS, IOS, Android....

Hanish_Bansal · February 19, 2018, 3:25am

If index is set to false then you would not be able to query on that field. Try running aggregation on OS4, it should give you results.
For Aggregations, index should be true and type should be keyword.

system · March 19, 2018, 3:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.