Hi folks,
Running elk 6.7 here.
I have these indexes. 2 from different applications. These applications use the same logstash cluster and this goes to the same elastic coördinating node.
Now I have these 2 indexes, let's call them cacheindex and apiindex
Both indexes partly get the same kind of data, grabbed from logging en distilled from the url's in there. I have more fields with issues, but will pick one for example. This fiield is to be used in visualizations to group on.
Now if I make a visualization for apiindex, I see the field api-version. Works as expected and data is grouped.
If I make a visualization for cache-index I see the field apiversion.keyword
If I use this one, I get no results. However when in kibane I look at the index (under 'discover') I see the api-version field and it is nicely filled with data.
When in kibana I go to index management I see for the apiindex only the api-version field. For the cache-index I see 2 fields, api-version and api-version.keyword.
Here's this apiversion field definitions, in the elastic template .
"api-version": {
"type": "keyword",
"norms": false
},
"api-version": {
"type": "keyword",
"norms": false
},
Looks just the same.
This is the field definition in the grok match in logstash template: (?<api-version>[\d\.]+)
Again, the same for both indices.
Where is this difference come from and, more important, how do I fix this?
edit:
funny, when I go to add a scripted field, and do a preview of the filed with doc['api-version'].value I get results from the apiindex. However in the cacheindex I get no results with doc['api-version.keyword'].value or with doc['api-version'].value
However, stil, under 'discover' in kibana I see the api-version field filled. I can use to field in a filter and can add it as a column in the search results.
I am kind of stunned.
Thnx in advance for any help