No results in .raw fields

ayasha88 · December 2, 2015, 3:32pm

Hi I can not see any results in my raw fields..
This is my index template:
{ "log-2015.12.02": { "aliases": {}, "mappings": { "_default_": { "_all": { "enabled": true, "omit_norms": true }, "dynamic_templates": [ { "message_field": { "mapping": { "index": "analyzed", "omit_norms": true, "type": "string", "fields": { "raw": { "ignore_above": 256, "index": "not_analyzed", "type": "string" } } }, "match": "message", "match_mapping_type": "string" } }, { "string_fields": { "mapping": { "index": "analyzed", "omit_norms": true, "type": "string", "fields": { "raw": { "ignore_above": 2, "index": "not_analyzed", "type": "string" } } }, "match": "*", "match_mapping_type": "string" } } ] }, "logEvent": { "_all": { "enabled": true, "omit_norms": true }, "dynamic_templates": [ { "message_field": { "mapping": { "index": "analyzed", "omit_norms": true, "type": "string", "fields": { "raw": { "ignore_above": 256, "index": "not_analyzed", "type": "string" } } }, "match": "message", "match_mapping_type": "string" } }, { "string_fields": { "mapping": { "index": "analyzed", "omit_norms": true, "type": "string", "fields": { "raw": { "ignore_above": 2, "index": "not_analyzed", "type": "string" } } }, "match": "*", "match_mapping_type": "string" } } ], "properties": { "className": { "type": "string", "norms": { "enabled": false }, "fields": { "raw": { "type": "string", "index": "not_analyzed", "ignore_above": 2 } } }, "messageObject": { "type": "object" }, "properties": { "properties": { "@timestamp": { "type": "date", "format": "strict_date_optional_time||epoch_millis" }, "page": { "type": "string", "norms": { "enabled": false }, "fields": { "raw": { "type": "string", "index": "not_analyzed", "ignore_above": 2 } } } } } } } }, "settings": { "index": { "creation_date": "1449044015188", "refresh_interval": "5s", "number_of_shards": "5", "number_of_replicas": "1", "uuid": "mqENQQ_5QEu1rsaJRik_qg", "version": { "created": "2000099" } } }, "warmers": {} },

In the non .raw fields I can see all my results.. Why is this? Please help me!

ayasha88 · December 2, 2015, 3:42pm

I am interested in the page field..

tbragin · December 9, 2015, 5:12am

Do you see this data in Elasticsearch?

ayasha88 · December 9, 2015, 7:59am

No in elasticsearch i can't see the data of the .raw fields either.. I tried

POST log-*/_search { "size": 0, "query": { "filtered": { "query": { "query_string": { "query": "*", "analyze_wildcard": true } }, "filter": { "bool": { "must": [ { "range": { "timeStamp": { "gte": 1447056537765, "lte": 1449648537765, "format": "epoch_millis" } } } ], "must_not": [] } } } }, "aggs": { "2": { "terms": { "field": "properties.page.raw", "size": 5, "order": { "_count": "desc" } } } } }

with no results and then the same without .raw with many results.

ayasha88 · December 9, 2015, 8:17am

Moreover if i go in Discover and I undo "Hide missing fields" all the .raw fields are visible but are empty.. Why is this??

tbragin · December 9, 2015, 2:36pm

Kibana can only show you what is in Elasticsearch, so if they are not in ES, they won't show up in Kibana either. You're likely having a problem correctly parsing the data. If you're using Logstash, I'd post a thread in that forum.

Topic		Replies	Views
Issue in getting raw fields Elasticsearch	9	1792	July 5, 2017
Confused about how to use .raw fields and not analyze string fields Kibana	37	51273	July 6, 2017
No .raw field in kibana Logstash	4	2340	September 27, 2017
Field set as not analyzed but kibana shows it as analyzed Elasticsearch	5	2356	July 5, 2017
Message.raw in logstash 2 Logstash	6	1723	July 6, 2017

No results in .raw fields

Related Topics