When creating a new visualization, original fields name changed to abnormal keywords like.
but in raw log json file there is no extra fields name as shown in above figure.
Is there anyone who happened like this issue ? Any discussion are welcome and please give me some advice.
Hi @kyaw, welcome to the discussion boards!
The keyword property is showing up as a result of Dynamic Mapping. This data was indexed into Elasticsearch without an index mapping pre-defined, so Elasticsearch created one for you, based on the dynamic field mapping rules.
Simple text fields often get index as two separate fields: the original, and original.keyword, which contains the same data as the original field, but mapped as a keyword data type in Elasticsearch. Keywords are typically more useful in Kibana visualizations than their corresponding text fields, but don't benefit from stemming or other analysis features of Elasticsearch.
If you don't want this behavior, then you can create your index mapping before you ingest your data, and explicitly tell Elasticsearch what the index should look like.
@Larry_Gregory Thanks for replying. I know about dynamic mapping.
As shown in Figure 1, logs-endpoint-winevent-sysmon-* index contains hostname.keyword and event_id.keyword ....etc. fields name. But suddenly original fields name like hostname.keyword or event_id.keyword changed to A.keyword, B.keyword but in Kibana dashboard still working fine, but I can't create new Dashboard or Visualization because original fields name like ** event_id.keyword" changed to ** A.keyword, B.keyword ....etc**.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
