Index: no but field still searchable? ES 2.3.x

Elastic Stack Elasticsearch
1

Hi,

I have one field that has "index": "no", but I can see that it's still searchable in Kibana, what could be the issue? I can't find the problem here, it's running on ES 2.3. By still searchable in Kibana it's because I see that the zoom icon on the field is black and not greyed when your field is not searchable.

Field mapping:

{  
  app-2016.10.12:{  
    mappings:{  
      app-syslog:{  
        response:{  
          full_name:"response",
          mapping:{  
            response:{  
              type:"string",
              index:"no"
            }
          }
        }
      }
    }
  }
}

This is the template I'm using:

{
    "order": 0,
    "template": "*",
    "mappings": {
        "app-syslog": {
            "properties": {
                "request": { "index": "no", "type": "string" },
                "response": { "index": "no", "type": "string" }
            }
        },
        "_default_": {
            "_all": {
                "enabled": true
            },
            "_source": {
                "enabled": true
            },
            "dynamic_templates": [
                {
                    "notanalyzed": {
                        "match": "*",
                        "match_mapping_type": "string",
                        "mapping": {
                            "type": "string",
                            "index": "not_analyzed",
                            "include_in_all": true
                        }
                    }
                }
            ]
        }
    }
}
2

I guess it's because Kibana is using _all field?
If you search for request:XYZ instead of XYZ you should see that this field is not searchable.

My 2 cents.

3

I thought that too, but the doc says that index: no disables "include_in_all" by default.

https://www.elastic.co/guide/en/elasticsearch/reference/2.3/include-in-all.html

4

Yeah my bad. Not supposed to be indexed at all.

I did not reproduce your issue:

DELETE test
PUT test
PUT test/type/_mapping
{
  "type": {
    "properties": {
      "request": {
        "index": "no",
        "type": "string"
      },
      "response": {
        "type": "string"
      }
    }
  }
}
PUT test/type/1
{
  "request": "abc",
  "response": "def"
}
GET test/_search
{
  "query": {
    "query_string": {
      "query": "abc"
    }
  }
}
GET test/_search
{
  "query": {
    "query_string": {
      "query": "def"
    }
  }
}

Your mapping looks super strange to me:

{  
  app-2016.10.12:{  
    mappings:{  
      app-syslog:{  
        response:{  
          full_name:"response",
          mapping:{  
            response:{  
              type:"string",
              index:"no"
            }
          }
        }
      }
    }
  }
}

It does not look at all at what it should be (see my example)

5

Thank you, going to try this method if I can reproduce :slight_smile: