Per the Analyzed Field tooltip:
Careful! The field selected contains analyzed strings. Analyzed strings are highly unique and can use a lot of memory to visualize. Values such as foo-bar will be broken into foo and bar. See Mapping Types for more information on setting this field as not_analyzed
You'll have to change your mappings to not analyzed for that field. Check:
Create template
and here
Reindexing
Here was my process after installing the Sense plugin:
PUT /_template/bro_template { "template": "bro-*", "order": 1, "mappings": { "_default_": { "dynamic_templates": [ { "strings": { "match_mapping_type": "string", "mapping": { "type": "string", "index": "not_analyzed" } } } ] }, "bro_ts": { "properties": { "ts": { "type": "date", "format": "epoch_millis" } } }, "bro_orig_h": { "properties": { "id.orig_h": { "type": "ip" } } }, "bro_resp_h": { "properties": { "id.resp_h": { "type": "ip" } } }, "bro_assigned_ip": { "properties": { "assigned_ip": { "type": "ip" } } } } }
after creating the index you have to create a new index and copy the data from the old index into it, which will pickup the new template when you do it:
PUT /bro-201609140900-1
POST /_reindex
{
"source": {
"index": "bro-201609140900"
},
"dest": {
"index": "bro-201609140900-1"
}
}
DELETE /bro-201609140900
If you're matching by pattern in your index setup, like I am with bro-*, then it really doesn't matter if you keep exact same name of the index or not. Hope that helps.
Note to devs: The above information took me almost two days to figure out. Maybe I'm just daft, but I HIGHLY recommend a FAQ or "Common Operations" section somewhere here:
Topics could include the process of creating a template, reindexing, etc. Maybe even a section on common things that people run into, like the above how to fix analyzed string fields and whatnot.