Kibana doesn't show .keyword field under fields dropdown

Elastic Stack Kibana
1

I have an ES index generated by logstash that has the keyword field for all the properties, visible using ES API in kibana but on visualize page when I try to apply aggregation on Term, Field drop-down doesn't show any .keyword fields at all. What am I missing ?

ES API ->

"mcs-elasticsearch": {
    "mappings": {
      "flower_document": {
        "properties": {
          "@timestamp": {
            "type": "date"
          },
          "@version": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "beat": {
            "properties": {
              "hostname": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "name": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "version": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              }
            }
          },
          "function": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "host": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "input_type": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "loglevel": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "message": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
....

Kibana Visualize ->

fields.png469×715 27.4 KB

2

beat.hostname is in the dropdown though I don't see beat.name. Are you sure there is data for that key within the search parameters you have?

3

Scroll down the ES data, you'll see beat.name and beat.version. My problem wasn't that though. As you could see every property has

"fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }

so I expect Fields dropdown should show both host and host.keyword options for full text search and aggregation respectively. But it doesn't!

Precisely I wanted to achieve this without having to enable fielddata:
https://www.elastic.co/guide/en/elasticsearch/reference/current/fielddata.html#before-enabling-fielddata

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

5

For those finding this post/question through a search engine: the solution for this problem is to refresh the field list of the Index Pattern of the affected Index in Kibana. See https://www.elastic.co/guide/en/kibana/current/managing-fields.html#_manage_your_index_pattern