Kibana and unknown field

vincent2mots · January 21, 2021, 12:21pm

Hi there!

I created an Index Pattern ".monitoring-es*" and I try to create a dashboard on it.

I would like to use the field "index_stats.shards.total", like in the discover :

Could you please help me?

Why my field is "unknown field"?
I can't see him in the Index Pattern
I can't change the index mapping

Best regards,

flash1293 · January 21, 2021, 12:23pm

It seems like this field is not indexed, so you can't build visulizations on top of it. Can you share the complete mapping of your monitoring index?

vincent2mots · January 21, 2021, 12:33pm

Hello,

Thanks for your quick answer! The mapping is huge so I can't paste it here...

However, as you say, there is no index_stats.shards.total field in the mapping but why I can see it in discover if the field is not available?

Best regards,

flash1293 · January 21, 2021, 12:38pm

Hey, it works because Discover is operating on the _source object of the individual documents, so it is able to show field which are not indexed. Visualizations however rely on aggregations for performance reasons, and those only work on indexed fields.

vincent2mots · January 21, 2021, 1:10pm

Thanks.

So on this specific index (directly created by Elasticsearch) I will not be able to use this field?

chrisronline · January 21, 2021, 1:59pm

The field is indexed, but it is not mapped, as it does not appear in the mappings.

If you want to run an aggregation on a field (which is usually necessary for building any kind of visualization), you'll need to create a custom mapping (using index templates) where you explicitly map this field.

vincent2mots · January 22, 2021, 7:55am

Hi @chrisronline!

This is a very good idea but the index (.monitoring-es*) is not directly managed by me but by Elasticsearch itself.

I'm not sure I will be able to modify the mapping (to add a template) on this index?

Best regards,

chrisronline · January 22, 2021, 2:20pm

Hi @vincent2mots

You are able to add additional templates that affect indices that you don't manage directly.

Try putting this into Kibana dev tools:

PUT _template/custom_monitoring_template
{
  "index_patterns": [
    ".monitoring-es-*"
  ],
  "mappings": {
    "properties": {
      "index_stats": {
        "properties": {
          "shards": {
            "properties": {
              "total": {
                "type": "long"
              }
            }
          }
        }
      }
    }
  }
}

This will affect newly created indices, so it will not automatically start working until the next index is created (which will be tomorrow)

vincent2mots · January 22, 2021, 2:58pm

chrisronline:

PUT _template/custom_monitoring_template
{
  "index_patterns": [
    ".monitoring-es-*"
  ],
  "mappings": {
    "properties": {
      "index_stats": {
        "properties": {
          "shards": {
            "properties": {
              "total": {
                "type": "long"
              }
            }
          }
        }
      }
    }
  }
}

Thanks!! That's perfect!

system · February 19, 2021, 2:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
.monitoring-es* indices: Kibana can't see all fields Kibana elastic-stack-monitoring	4	584	March 11, 2019
Kibana unknown index pattern fields Kibana	6	2413	December 3, 2020
Fields Coming as unknown in Index Elasticsearch elastic-stack-monitoring	1	318	November 19, 2020
Uknown fields Kibana	5	321	March 28, 2021
Fields restriction on index patterns Kibana elastic-stack-monitoring	3	427	March 13, 2020

Kibana and unknown field

Related topics