Keyword field not aggregatable and not searchable

ajnfde · May 4, 2017, 9:43pm

Hi, I can't make visualisation table using a field I add from logstash.

In logstash conf file used, I read a log file containing XML data.

XML data example :

<root_doc>
    ...
	<Body>
		<Source>
			<tag>
				<Header Version="x" SentAt="date" To="to" />    				
                          ...
			</tag>
		</Source>
	</Body>
</root_doc>

I add fields into elasticsearch like this

		xpath => ["//Header/@Version" , "Version"]
		xpath => ["//Header/@SentAt" , "SentAt"]
		xpath => ["//Header/@To" , "To"]
		xpath => ["//Source/*" , "XMLOrigine"]

So, fields Version, SentAt, To, XMLOrigine are created, Version.keyword, SentAt.keyword, To.keyword and XMLOrigine.keyword too.
They are all string.

But only the XMLOrigine.keyword field is not searcheable and aggregatable.

Can someone explain me why and how can I transform the XMLOrigine.keyword searchable and aggregatable.

mmichaels01 · May 4, 2017, 9:56pm

Can you post the {{index}}/{{type}}/_mapping result from Elasticsearch here?

Keyword should be searchable, it just requires that a query token will have an exact match.

As to the issue surrounding not being able to aggregate, that seems weird. What kind of aggregation are you trying to use, term ? I currently use keyword fields for term aggregations in multiple places in Elastic 5.3, so seeing what your index's mapping looks like would help here as well.

ajnfde · May 5, 2017, 11:42am

Post {{index}}/{{type}}/_mapping result

{
"index": {
"mappings": {
"type": {
"properties": {
"@timestamp": {
"type": "date"
},
"From": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SentAt": {
"type": "date"
},
"To": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"XMLOrigine": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
}
}

I think I know why the XMLOrigine.keyword is not searchable and aggregatable.
The XMLOrgine content is above 256 characters.

How can I disablle ou modify the ignore criteria from elasticsearch or logstash configuration?

mmichaels01 · May 5, 2017, 5:17pm

https://www.elastic.co/guide/en/elasticsearch/reference/current/ignore-above.html

This should answer your question.

ajnfde · May 8, 2017, 9:14pm

Thanks mmichaels01.

Is it possible to do it in Logstash or elasticsearch yml files ?

system · June 5, 2017, 9:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to make a field aggregatable in kibana Elasticsearch	27	10215	January 25, 2019
Field not aggregatable! Kibana	2	774	September 12, 2018
Field value not found in aggregatable field Elasticsearch	3	276	February 11, 2023
Searchable, aggregatable Kibana	5	4620	May 19, 2017
Can't make text field aggregatable Kibana	4	1094	January 31, 2022

Keyword field not aggregatable and not searchable

Related Topics