I have logs of a server indexed on my ES. The message body of the logs is in the field named message. Now if I try to aggregate on the field message.keyword. That field doesn't exist for a certain number of logs.
After some research I found that ES maps each string field to two fields. Which in my case should be
message
message.keyword
But somhow the second field doesn't exist for some logs, although those events have a valid string in their message field. What could be the reason?
Hmm, that seems strange, could you provide the mapping for your index here?
Are you saying message.keyword is only missing for some of the logs, but the message field is still there in them?
I have the same.
Only the field message does not have a .keyword counterpart.
Mapping:
"message": {
"type": "text",
"norms": false
},
Logstash 6.4.2
Is this on purpose? Can it be enabled also for "message"?
Seems to be on purpose. The default mapping doesn't create a .keyword fields for "message".
Relevant parts from the mapping template:
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"match_mapping_type": "string",
"mapping": {
"norms": false,
"type": "text"
}
}
},
{
"string_fields": {
"match": "*",
"match_mapping_type": "string",
"mapping": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"norms": false,
"type": "text"
}
}
}
],
Seems a bit strange, but ok.
One can manage the template himself (docs), or use a different field name than "message".
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.