In the 'Analyzing Script Attacks' lesson the the teacher adds keyword to by_field_name and over_field_name, where can I read more about this? Also, keep getting this error
Save failed: [status_exception] This job would cause a mapping clash with existing field [event_data.NewProcessName] - avoid the clash by assigning a dedicated results index
x
but I checked the dedicated index box on the first page under job details.
Hello,
You can reference the ML documentation to get more info on those types of fields. In terms of the index clash - what is happening is the ML process is trying to update the index mapping in a way that causes a conflict. Your best bet is to create ML jobs that have dedicate indexes to avoid this.
OK so regarding 'keywords' and adding them as 'influencers' etc. from here -
https://www.elastic.co/guide/en/elasticsearch/reference/master/keyword.html
They are typically used for filtering (Find me all blog posts where status is published), for sorting, and for aggregations. Keyword fields are only searchable by their exact value.
If you need to index full text content such as email bodies or product descriptions, it is likely that you should rather use a text field.
The above doesn't explain it... at least not to me.
Why does he use keyword? uri_requests.keyword, clientip.keyword response.keyword? What's the benefit of this on these fields?
I did find this in a blog which helps a little...
To make things better, Elasticsearch decided to borrow an idea that initially stemmed from Logstash: strings will now be mapped both as text and keyword by default. For instance, if you index the following simple document:
{
"foo": "bar"
}
Then the following dynamic mappings will be created:
{
"foo": {
"type" "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
As a consequence, it will both be possible to perform full-text search on foo, and keyword search and aggregations using the foo.keyword field.
The only explanation the course gives is -
".keyword" fields need to be used otherwise the analysis will fail due to the way the data is indexed. We recommend taking our "Developer" or "Operations" courses if this isn't clear.
fields
It is often useful to index the same field in different ways for different purposes. This is the purpose of multi-fields. For instance, a string field could be mapped as a text field for full-text search, and as a keyword field for sorting or aggregations:
Yes, they're another way to index your data for different purposes. We talk about these types of things a lot in our Elasticsearch Developer I course as well as our Elasticsearch Operations I course. I recommend you take one of those to get a firm understanding of not only that concept but many other important concepts as well.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.