Hello and good morning,
since the last update to 7.12.1, Lens replaced the "normal" Visulizations. I have an index (oracle alert logs) which has an message field as text, but it is missing the keyword. Even creating a new index pattern for this index (with kibana), doesn't create the keyword. In lens i can't select the text field.
How can i add a text field to a lens visulization or how can i add the keyword to the index pattern?
Thank you in advance!
Greets
Boris
The "normal" visualizations are still available (just click "Aggregation based" in the dialog when creating a new visualization).
However I don't think they will be able to help you with your problem (depending on what exactly you want to do with this field), because it's not possible to do aggregations (which is the basis for visualizations) with text fields. You need to change the type of your field in the mapping of your Elasticsearch index, then re-index your data - it's not possible to solve this on the Kibana side.
Hi flash,
thanks for the hint, i found them. But the message field (text) is not available either. Even the "normal" visulizations just show the keyword.
I just want to show the message in a datatable. I could re-index my data, but my problem is, i don't get it how to add the field to the mapping, and how to do a re-indexing.
When i add a mapping like that:
PUT /oracle-logs/_mapping { "properties": { "message": { "type": "text", "fields": { "raw": { "type": "keyword" } } } } }
i get this error:
{ "error" : { "root_cause" : [ { "type" : "illegal_argument_exception", "reason" : "Mapper for [message] conflicts with existing mapper:\n\tCannot update parameter [norms] from [false] to [true]" } ], "type" : "illegal_argument_exception", "reason" : "Mapper for [message] conflicts with existing mapper:\n\tCannot update parameter [norms] from [false] to [true]" }, "status" : 400 }
Besides, why isn't the field message as keyword being breated when i create a new index pattern. Every other field gets a field as keyword only message is missing.
Greets
Boris
Yeah, you can't edit the mapping like this in-place, you need to create a second index next to your existing one with the updated mapping, then re-index data from source to target index using the reindex api: Reindex API | Elasticsearch Guide [8.11] | Elastic
Besides, why isn't the field message as keyword being breated when i create a new index pattern. Every other field gets a field as keyword only message is missing.
The index pattern is just reflecting the mapping of your Elasticsearch index. The module which created the index did not create a keyword mapping for the message field.
Quick note: If you want to show unaggregated data only, you can also go to Discover and save the current view as "saved search" which can be added to the dashboard as well.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.