Hi team,
I am running into an issue in ELK production environment and can’t figure out why googled. The google result is saying that it might because the ktf1.raw field not enabled. But I still failed after apply the raw field. Can you help have a look and advice?
Issue Description:
-
I have below data in elk, the value for ktf1, kf1, kf2, ktf3 are arrays. In Kibana, I want the it aggregate by the values in the array. But I didn’t get the expected result. It treat the array as a string, and aggregrate based on the string. Please refer to the screenshot in point3 .
at,ktf1,kf1,kf2,kf3
SAVE,"[performance,compensation]","[true,true,false,false]","[false,false,false,false]","[false,false,false,false]"
SAVE,"[performance,compensation,Others]","[true,true,true,false]","[false,false,false,false]","[true,true,false,false]"
SAVE,"[performance,compensation,Others]","[true,true,true,false]","[false,false,false,false]","[true,true,false,false]"
SAVE,"[performance,compensation,Others]","[true,true,true,false]","[false,false,false,false]","[true,true,false,false]"
SAVE,"[performance,compensation,liveProfile,talentFlag,Others]","[true,false,false,false]","[false,false,false,false]","[true,false,false,false]" -
The index template definition for ktf1, kf1, kf2, ktf3 are below.
"template": "kvaudit",
"index_patterns": ["kvaudit"],
"settings": {
"index": {
"number_of_shards": "1",
"codec": "best_compression",
"number_of_replicas": "0"
}
},
"mappings": {
"doc": {
"properties": {
"@version": {
"type": "keyword" }
}
}
},
"beat": {
"properties": {
"version": {
"type": "keyword"
}
}
},"fields": {
"properties": { "at": {"type": "keyword"},
"ktf1": {"type": "text","fields": {"raw": {"type": "keyword","ignore_above": 256}}},
"ktf2": {"type": "keyword"},
"ktf3": {"type": "keyword"},
"ktf4": {"type": "keyword"},
"ktf5": {"type": "keyword"},
"kf1": {"type": "keyword"},
"kf2": {"type":"keyword"},
"kf3": {"type":"keyword"}}} -
Screenshot of Terms aggregration
