Increase ignore above threshold - Kibana UI

Murali_Y · November 27, 2022, 1:27pm

Hello all,
We are using Kibana for logging/viewing/reporting our UiPath BOT logs.

But we are unable to view one field on Kibana due to the 256 characters threshold that is set on that field mapping. From How to set the "ignore_above" on elasticsearch / using logstash and kibana I understand that we can update this mapping using API at index level. Can someone help with below queries:

Is there a way to change this 256 threshold from UI?
We are using monthly auto indexing (one index per month). How do we overcome the challenge of not having to update the index every month?
Example: If index get auto generated at 12:00 AM and we update this index at 4:00 AM. Will the logs written in these 4hrs gap gets updated with new threshold mapping and shown on Kibana? or 'Reload indices' from index management page will help us get this done?
Any process/steps to achieve updating mappings at whole Kibana instance level (rather than on each index)?

Version we are using: 7.16

willemdh · November 27, 2022, 2:48pm

Hello @Murali_Y , You can use index templates and possible component templates for what you need:

Just set the ignore_above for the filed you need to something higher and all created indices that match the condition will apply everything in the template.

(There might be another template already (for example filebeat template), then you will have to update that template every update.)

Willem

Murali_Y · November 29, 2022, 3:38pm

Thanks a lot for responding. Is this 256 limit only on viewing a field on Kibana UI or even the log entries will get ignored when length of field in a entry is > 256?

Murali_Y · November 29, 2022, 5:30pm

@willemdh Thanks a lot for responding. Is this 256 limit only on viewing a field on Kibana UI or even the log entries will get ignored when length of field in a entry is > 256?

jsanz · December 28, 2022, 3:30pm

@Murali_Y from the documentation

ignore_above

Do not index any string longer than this value. Defaults to 2147483647 so that all values would be accepted. Please however note that default dynamic mapping rules create a sub keyword field that overrides this default by setting ignore_above: 256.

This is a setting on Elasticsearch, and not from Kibana. If this is on a keyword subfield, the parent field may still index the data as a text type, so OK for search but not for aggregation.

system · January 25, 2023, 3:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.