No cached mapping

I've been having an issue with a few fields that have the "No cached mapping for this ...." warning message. I asked about this issue in the logstash (I wanted to make sure the config wasn't the problem) forum and was told to check here.

I'm using the information from this site, and everything is working expect for a few fields. https://www.syspanda.com/index.php/2018/05/03/monitoring-active-directory-elk/

I've refreshed the Index Patterns multiple times to no avail. However upon some research I did see some information about nesting, I'm sure if that my issue here or not.

Not sure what that could be.

Is that Method field a nested field?

It very well could be nested, however I don't know how to tell if it is.

you can run a _search in the dev-console against that index, and see what kind of data-structure you get back in the raw response from Elasticsearch.

https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html

When I run a search on that index the field "Method" is not there, I ran a few different searches just to make sure and in all of them the field was not present. So I guess that means that it's not nested?

hmm.. that's probably the problem (?)

you can also check if your actual index has the field explicitly defined. Try myindex/_mapping, and check what data-type the Method field has there.

Well I found my field:

      "method" : {
        "type" : "text",
        "fields" : {
          "keyword" : {
            "type" : "keyword"
          }
        }
      },

Does this tell you what you need to know?

hmmm... that field-name looks wrong in the kibana-index-pattern. It should be method with lowercase m.

Wow, that worked. I'm not even sure how that happened, but thank you for your help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.