This question is similar to https://discuss.elastic.co/t/kibana-this-field-is-present-in-your-elasticsearch-mapping-but-not-in-any-documents-in-the-search-results-you-may-still-be-able-to-visualize-or-search-on-it/25903
So all of the .raw fields in a particular index are hidden by default because Kibana thinks they don't show up in any document. Reference:
If I click on visualize here (I persist the same datetime range filter and any other filters/searches that currently apply), i see something like this
So it seems like there is something in the clientip.raw field.
I checked out the mapping for this index and came across this (this may be getting into an Elasticsearch question, so direct me there if you must)
"clientip": { "type": "string", "norms": { "enabled": false }, "fields": { "raw": { "type": "string", "index": "not_analyzed", "ignore_above": 256 } } }
So it seems like clientip.raw is not a completely new field, is it like a computed field that doesn't exist explicitly? The reason it as created is because in mappings => default => we have this:
{ "string_fields": { "mapping": { "index": "analyzed", "omit_norms": true, "type": "string", "fields": { "raw": { "ignore_above": 256, "index": "not_analyzed", "type": "string" } } }, "match": "*", "match_mapping_type": "string" } }
So the question is, what exactly is going on here and how do I have *.raw fields show up in the Kibana Discovery tab as a field?