Kibana Unknown Field Type

There is a field (_path) in my Kibana Discovery tab which shows up as unknown type (?) yet it is listed in my dynamic template mapping as "keyword". Everything else in the template works great.

The data in _path is simply the name of a Zeek log. I.e. conn, dns, etc.

Can anyone explain how to get _path to show up as keyword instead of unknown? I've also tried making the type "text" as well but that didn't work either.

Thanks ahead of time!

image.png528×818 24.9 KB

"logstash-2019.10.08": {

• "mappings": {
  • "dynamic_templates": [
    • {
      • "message_field": {
        • "path_match": "message",
        • "match_mapping_type": "string",
        • "mapping": {
          • "norms": false,
          • "type": "text"}}}
            , * {
      • "string_fields": {
        • "match": "*",
        • "match_mapping_type": "string",
        • "mapping": {
          • "fields": {
            • "keyword": {
              • "ignore_above": 256,
              • "type": "keyword"}},
          • "norms": false,
          • "type": "text"}}}],
  • "properties": {
    • "@timestamp": {
      • "type": "date"},
    • "@version": {
      • "type": "keyword"},
    • "_path": {
      • "type": "keyword"},

This generally occurs when your index pattern matches indices that have conflicting field types in their mappings. Can you take a look at your index pattern under management > Index Patterns and inspect the _path field? You should see a list of indices and the conflicting types similar to this screenshot:

This is from 7.2 so it might look slightly different for you depending on which version you're using. Once you've identified the index or indices which have the wrong mapping, you can fix this by reindexing the data into indices with the correct mappings defined. Here are some resources:

• How to fix mapping conflict?
• Mapping conflict!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.