that's what i thought, too
have done this GET on all new indices created, and see the parameter being mapped as keyword
GET index-name/_mapping?pretty
however, i perform the search in graylog:
_exists_:param_name AND _index:index-name
i try to show quick values on the param_name field, i get the 500 complaining about it being a text field
{
"index-name": {
"mappings": {
"message": {
"dynamic_templates": [
{
"internal_fields": {
"match": "gl2_*",
"mapping": {
"type": "keyword"
}
}
},
{
"store_generic": {
"match_mapping_type": "string",
"mapping": {
"type": "keyword"
}
}
}
],
"properties": {
"BASE10NUM": {
"type": "keyword"
},
"GREEDYDATA": {
"type": "keyword"
},
"HOSTNAME": {
"type": "keyword"
},
"IPORHOST": {
"type": "keyword"
},
"MONTHDAY": {
"type": "keyword"
},
"MONTHNUM": {
"type": "keyword"
},
"NUMBER": {
"type": "keyword"
},
"POSINT": {
"type": "keyword"
},
....
"param_name": {
"type": "keyword"
},
....
}
}
}
}
}