Searchable, aggregatable


#1

Hi, I would like to make our ELK efficient. I know in which fields I will never search or aggregate but I still want to display them.
Is there any way how to define "not searchable" (or aggregatable) field? I read that it is because of index is set to "not_analyzed" but now index has only bool value. "False" will not display at all in Kibana.
Maybe "include_in_all" field?


(Brandon Kobel) #2

@Akaren which version of Kibana/Elasticsearch are you using? I was able to use the following to create an index where field2 has index set to false, and I see it showing up in Kibana:

PUT test
{
    "settings" : {
        "number_of_shards" : 1
    },
    "mappings" : {
        "type1" : {
            "properties" : {
                "field1" : { "type" : "text" },
                "field2" : { "type" : "keyword", "index": false}
            }
        }
    }
}

Did you refresh your Kibana Index Pattern after changing the mappings in Elasticsearch to include that column? You can do so by going to Management -> Index Patterns and clicking the Refresh button highlighted below in the red rectangle:


#3

So when you set:
"index: false" - it won't be searchable
"type: keyword" - will be aggregetable

what about analyzed? Can it be all - aggregatable, analyzed and searchable?

Kibana 5.3


(Brandon Kobel) #4

@Akaren I'm not following. I thought your goal was to have a field that was always just displayed as-is, but you didn't want it to be searchable or aggregatable, what's what setting { "type" : "keyword", "index": false} on the field2 does.

Are you now asking for a way to have a field that is searchable and aggregatable?


#5

I am trying to understand how it works :slight_smile:


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.