Keyword field not aggregatable and not searchable

ajnfde · May 4, 2017, 9:43pm

Hi, I can't make visualisation table using a field I add from logstash.

In logstash conf file used, I read a log file containing XML data.

XML data example :

<root_doc>
    ...
	<Body>
		<Source>
			<tag>
				<Header Version="x" SentAt="date" To="to" />    				
                          ...
			</tag>
		</Source>
	</Body>
</root_doc>

I add fields into elasticsearch like this

		xpath => ["//Header/@Version" , "Version"]
		xpath => ["//Header/@SentAt" , "SentAt"]
		xpath => ["//Header/@To" , "To"]
		xpath => ["//Source/*" , "XMLOrigine"]

So, fields Version, SentAt, To, XMLOrigine are created, Version.keyword, SentAt.keyword, To.keyword and XMLOrigine.keyword too.
They are all string.

But only the XMLOrigine.keyword field is not searcheable and aggregatable.

Can someone explain me why and how can I transform the XMLOrigine.keyword searchable and aggregatable.

mmichaels01 · May 4, 2017, 9:56pm

Can you post the {{index}}/{{type}}/_mapping result from Elasticsearch here?

Keyword should be searchable, it just requires that a query token will have an exact match.

As to the issue surrounding not being able to aggregate, that seems weird. What kind of aggregation are you trying to use, term ? I currently use keyword fields for term aggregations in multiple places in Elastic 5.3, so seeing what your index's mapping looks like would help here as well.

ajnfde · May 5, 2017, 11:42am

Post {{index}}/{{type}}/_mapping result

{
"index": {
"mappings": {
"type": {
"properties": {
"@timestamp": {
"type": "date"
},
"From": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SentAt": {
"type": "date"
},
"To": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"XMLOrigine": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
}
}

I think I know why the XMLOrigine.keyword is not searchable and aggregatable.
The XMLOrgine content is above 256 characters.

How can I disablle ou modify the ignore criteria from elasticsearch or logstash configuration?

mmichaels01 · May 5, 2017, 5:17pm

https://www.elastic.co/guide/en/elasticsearch/reference/current/ignore-above.html

This should answer your question.

ajnfde · May 8, 2017, 9:14pm

Thanks mmichaels01.

Is it possible to do it in Logstash or elasticsearch yml files ?

system · June 5, 2017, 9:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mapping text field with keyword not aggregatable Elasticsearch	5	3629	February 1, 2017
Strange Logstash index fields in visualization Kibana	5	827	October 18, 2017
Visualizing Terms In A Field Kibana	4	348	February 7, 2020
Unable to make a field aggregatable in kibana Elasticsearch	27	10226	January 25, 2019
Field not aggregatable! Kibana	2	774	September 12, 2018

Keyword field not aggregatable and not searchable

Related topics