Kibana 4.1 change the Primary_Field from _all to something else

Hi Guys

I want to disable the "_all" field because it consumes too much space and I really don't have a use for it. However Kibana 4.1 seems to default to that field for Visualization queries.

I found an old topic that said modifying the KibanaConfig.rb file and set up the Primary_field = "_all" to Primary_field = "message" would do the trick.

However, I cannot find the KibanaConfig.rb anywhere in my installation.

Was it removed in this version? If so ... how can I change that behavior?

Thanks!

If you're looking at instructions mentioning KibanaConfig.rb, they are for a very old (original?) version of Kibana and are no longer current. When working with Kibana 4, you can disable the _all field in your Elasticsearch mappings and that will not affect your Kibana functionality.

The _all in the legend in your screenshots refers to "all returned documents". I see how this nomenclature may be a bit confusing, so I filed a Github ticket ticket with a "discuss" label on your behalf: https://github.com/elastic/kibana/issues/4642

That makes sense, thank you!

I actually reinstalled my test environment and I started seeing all documents in my queries again.

At first I could not see any documents and I found this article so I assumed that was my problem. I later reinstalled my test environment and everything started working, so I guess there was another problem there.

Again, thanks and I'll follow up that discussion.