Kibana field stopped being detected as "keyword", screwing up visualizations. How to fix?

Hi everyone,

As you can see in these two images, there is a different number of records for these two searches. About a week ago, this field (as well as few others) stopped being detected as keyword, resulting in some visualizations which require the fields to be keywords breaking (not showing new data since after the change a week ago).

The problem is I have no idea why this field and others are no longer being identified as keyword. When I look at the underlying data in Discover (such as in json) the fields look identical. As far as I know, no settings changes happened around that time. It is possible the version got upgraded, but I think that was a few days before that.

Can anyone explain how to fix this? Ideally, all data would be correctly identified as keyword so the visualizations would just start working again.

Thanks,
Kyle

EDIT: this post Issue with keyword aggregation following update to 6.0 seems related, however, I don't fully understand what is going on there. Perhaps @weltenwort can explain?

Edit2: When I talked with the engineer who owns Elastic Search and Kibana, he said the old (working) mapping has this:
2018-01-30 has a mapping for event.local_user_id.keyword
Where the new (broken) mapping has:
2018-01-31 has a mapping for event.local_user_id.raw (as a keyword type)
Where would this be set? How to fix for these old ones and any newly generated indexes?

Hi @kyle1441,
Could you show me the results of the request GET /{your index}/_mapping using the dev tools?
Your keyword fields mapping should have the following structure:

"{field name}": {
  "type": "text",
  "fields": {
    "keyword": {
      "type": "keyword",
      "ignore_above": 256
    }
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.