Hi Stephen
We upgraded to 8.15.2 - Same result 
Could it be related to event.dataset typing?
What I noticed now is that event.dataset is a String field with keyword subfield.
Grouping options via discover:
keyword field:keyword subfield:
String subfield:
Not possible to group on String field
I'll get back to you once tested with correct typed fields..
Best regards
Christof
Hi @stephenb
It seems your last suggestion to debug via Discover did point me in the right direction!
Checking an item further in the past (dataset finally appears):
Timeframe we were checking (dataset is shown too together with other sources) 
For completeness, my updated Component Template
(I'm disabling all_strings_to_keywords because keyword fields make searches harder)
PUT _component_template/logs@custom
{
"template": {
"settings": {
"index": {
"number_of_replicas": "0",
"default_pipeline": "calculate_lag",
"codec": "best_compression"
}
},
"mappings": {
"dynamic": true,
"date_detection": true,
"dynamic_date_formats": [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z",
"yyyy-MM-dd HH:mm:ss,SSS"
],
"dynamic_templates": [
{
"all_strings_to_keywords": {
"unmatch" : "*",
"match_mapping_type": "string",
"mapping": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"data_stream.namespace": {
"type": "constant_keyword"
},
"data_stream.dataset": {
"type": "constant_keyword"
},
"data_stream.type": {
"type": "constant_keyword",
"value": "logs"
},
"log.level": {
"type": "keyword"
},
"service.name": {
"type": "keyword"
},
"event.dataset": {
"type": "keyword"
},
"container.id": {
"type": "keyword"
},
"host.hostname": {
"type": "keyword"
},
"host.name": {
"type": "keyword"
}
}
}
},
"_meta": {
"managed": true,
"description": "default mappings for the logs index template installed by x-pack"
}
}
CONCLUSION
event.dataset field was shown via Discover as Keyword field, although it was only a subtype on my system (primary type String)Log rate per minute tile on the Observability Overview screen did not pick up the event.dataset field8.14.3, but system was already upgraded to 8.15.2Thanks a lot for your persistence!
Christof
Hi, I am just scanning this issue quickly but I noticed that your file has beat.version: 6.5.1, which would imply that it's almost 6 years out of date from current, and would have very limited support for Elastic Common Schema, which could be the cause of some of the field type conflicts that you're experiencing. Can you confirm that your beats version is up to date? If not, then you can download current beats from: Download Beats: Data Shippers for Elasticsearch | Elastic
Thanks for stopping by!
I'm currently in the process of upgrading an old standalone 7.16 stack to a new RPM installed 8.15.2 stack. The logs are old logs, which have to be migrated.
Issue has been resolved since this morning. Below my conclusions:
With an import remark, why we didn't have the keyword mapping:
Those logs for the migration are fetched, cleaned (file 1) & enriched (file 2) with new fields, cfr. my migration pipeline:
FYI:
Best regards
Christof
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.