New mapped field not getting added as searchable even after doing "refresh field list"

lmrc1r0 · May 24, 2019, 7:08pm

Hello,
I recently upgraded from 5.X to 6.7.2.
Most of my new logging indexes are fresh on the system, not imported.
I also imported some old indexes from old ES cluster using reindex.
So all indexes should be in native 6.7.2 format etc.

I recently added a new field to my logging setup in 6.7.2.
I needed to add "fields.type" because, with 6+ ES and filebeats 6.?+ removal of types
it was breaking logstash filter rules for matching.

Filebeats.yml now looks like this

filebeat.inputs:
 
 - type: log
   paths:
     - /var/log/nginx/access.log
   fields:
    environment: env1
   type: nginx_access

There is also a matching logstash filter entry:

if [type] == 'nginx_access' or [fields][type] == 'nginx_access' {

That is working as I see the entries show up in Kibana as
kibana_fields_type

Please note that a preexisting fields.environment is and has been working since I setup the cluster.

I am using a template that has these mapping.
I updated the template to have the new mapping.
(leaving out some details for brevity from a GET _template)

"index_patterns" : [
  "logs-*"
],

},
"mappings" : {
  "doc" : {
    "dynamic" : false,
    "properties" : {

      "fields.type" : {
        "normalizer" : "lowercase",
        "type" : "keyword"
      },
      "http_upstream_connect_time" : {
        "type" : "float"
      },
      "fields.environment" : {
        "normalizer" : "lowercase",
        "type" : "keyword"
      },

I know logstash is processing and setting the "field.type" and I can see it in Kibana.

I have attempted multiple times to use the "Refresh field list" option in the Kibana UI.

I do have multiple index patterns in Kibana to allow for segmented "views".
I did send some new data with the new fields before setting the template.
However I am getting new data and at least once new index has been created (daily index for logging) with the new fields.

Does anyone have any idea what I might need to do to get Kibana to update and use the new field.type as searchable ?

It does not show up in the list of fields in the index despite multiple field refresh attempts.

I have not seen any issues in Kibana or ES logs. I do see new .kibana indexes being created when I attempt the refresh.

The changes made were in reference to this

Is it possible that type is a reserved name that breaks when used anywhere?

Thanks very much in advance for any help or ideas!

system · June 21, 2019, 7:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Set up index for fields created with logstash Logstash	2	829	September 14, 2018
No cached mapping for this field / refresh of fields not working Kibana	4	12701	April 9, 2019
Fields/mappings lost when refreshing field list Kibana	3	1470	February 16, 2018
Newly added Field Not available for aggregations Kibana	8	591	March 11, 2021
Added new mappings, fields are now gone from kibana search Elasticsearch	1	416	May 3, 2017

New mapped field not getting added as searchable even after doing "refresh field list"

Related Topics