I'm curious about the rationale for indexing urls as keyword by default (in my case it's nginx.access.url, but I noticed it's the same for apache and others) .
The documentation states that Keyword fields are searchable by their exact value only. Now, I think it's pretty common to search logs for parts of urls: Show me timings for all images, show me timings for all images of a specific customer, etc.
This way the url field is barely usable by default.
You can use a wide range of queries on a keyword, for example prefix, wildcard, regex and fuzzy. See Term level queries.
I guess it would be more correct to state that "keyword fields are indexed by their exact value", unlike text fields, which are passed through an analyzer to convert the string into a list of terms that are indexed individually.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.