Kibana not using sub keyword field for sorting

lsilva · November 23, 2016, 2:04pm

I have installed the latest docker containers for Elasticsearch, Logstash and Kibana 5 and have logback-logstash sending tomcat logs into this ELK stack.

The ES mapping is automatically created and looks correct as per the new ES 5 text mapping

Here's a snippet of the mapping:

      "host": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "level": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      }

The data loads fine in Kibana but, whenever I try to sort on level or host I get the Error:

Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Fielddata is disabled on text fields by default. Set fielddata=true on [application] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory."}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"logstash-2016.11.23","node":"XXXX","reason":{"type":"illegal_argument_exception","reason":"Fielddata is disabled on text fields by default. Set fielddata=true on [application] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory."}}],"caused_by":{"type":"illegal_argument_exception","reason":"Fielddata is disabled on text fields by default. Set fielddata=true on [application] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory."}},"status":400}

My understanding is that I don't need fielddata enabled since I'm not trying to do a full text search on those fields, I just want to sort by exact keyword and that should be possible with this new mapping without having to enable it, right?

Is this something that is not implemented yet, am I understanding it wrong or is it just some configuration that I'm missing? It seems a bit overkill to enable that when the docs say:

This allows to perform full-text search on the original field name and to sort and run aggregations on the sub keyword field.

Thanks,

Luis

shaunak · November 24, 2016, 6:48am

Hi @lsilva,

This is a shortcoming of the current Discover UI. Generally, it could be smarter about how it handles multi-fields. There is a bug for this already that you may want to track: https://github.com/elastic/kibana/issues/7419.

lsilva · November 24, 2016, 12:09pm

Ok, Thank you. I'll follow it up there.

system · December 22, 2016, 12:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.