No .raw field in kibana

Elastic Stack Logstash
1

I am seeing an issues where i am not seeing .raw fields but instead i am seeing .keyword fields. I know there was a problem when you change the default index name from logstash-* to something else but couldn't recall the fix for it. How do i get the raw fields back? Any idea.

Also as i have already ingested so many data now. Is there a way to re-index those data to get the .raw fields. This broke my dashboard too.

Logstash Version:- 5.5

2

It's in the default index template. You would have to change your template. I recommend updating it for Elasticsearch 5.x anyway, as mapping changes occurred (even if you preserve .raw instead of .keyword).

To "fix" your .keyword fields, you will have to re-index your data using the Reindex API, or potentially the Reindex action in Elasticsearch Curator.

It might be easier/better to fix the dashboards to use .keyword and reindex the old data to also be .keyword, but I have no idea what scale or volume of data you're dealing with.

3

@theuntergeek Consider me as newbie , could you suggest how to update the default template. My problem with updating the template is that the index names are dynamic. How can i update a template that will match any new index that i create. I don't have a fixed pattern as they are tied to aws account names. Could you please provide an example.?

Is .raw equivalent to .keyword.? Can i just just leave as it is to .keyword and change my visualizations from raw to keyword?

For reindexing, do i need to fix the mappings first?

--
Niraj

4

Use the GET _template command.

You can see here that this template matches everything that comes in, regardless of the index name.
image

Definitely go reads through the documentation if you haven't already.
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.