The problem is the following: Our Applications use ECS-Logs (Overview | Elastic Common Schema (ECS) Reference [1.10] | Elastic) to be indexed by filebeat. We use the default configuration which uses an "ignore_above: 1024" setting to process "error.stack_trace"-keyword fields which has an extended field "error.stack_trace.text" which is of type "text".
"error": {
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"stack_trace": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"index": false,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
In Kibana stacktraces with <1024 bytes are displayed correctly in the table-view of the document. But when the size of the stacktrace exceeds this limit, neither "error.stack_trace" (which is to be expected) nor "error.stack_trace.text" is shown. So i have no way to see the properly formatted (newlines, tabs translated to html) stacktrace. I can just see it in the json-view (string content with "\n\t...").
I would like to have some advice to handle this. Otherwise our ELK-Stack solution is quite unusable for these situations.
best regards