Hi, I would like to make our ELK efficient. I know in which fields I will never search or aggregate but I still want to display them.
Is there any way how to define "not searchable" (or aggregatable) field? I read that it is because of index is set to "not_analyzed" but now index has only bool value. "False" will not display at all in Kibana.
Maybe "include_in_all" field?
@Akaren which version of Kibana/Elasticsearch are you using? I was able to use the following to create an index where field2 has index set to false, and I see it showing up in Kibana:
PUT test
{
"settings" : {
"number_of_shards" : 1
},
"mappings" : {
"type1" : {
"properties" : {
"field1" : { "type" : "text" },
"field2" : { "type" : "keyword", "index": false}
}
}
}
}
Did you refresh your Kibana Index Pattern after changing the mappings in Elasticsearch to include that column? You can do so by going to Management -> Index Patterns and clicking the Refresh button highlighted below in the red rectangle:
So when you set:
"index: false" - it won't be searchable
"type: keyword" - will be aggregetable
what about analyzed? Can it be all - aggregatable, analyzed and searchable?
Kibana 5.3
@Akaren I'm not following. I thought your goal was to have a field that was always just displayed as-is, but you didn't want it to be searchable or aggregatable, what's what setting { "type" : "keyword", "index": false}
on the field2 does.
Are you now asking for a way to have a field that is searchable and aggregatable?
I am trying to understand how it works
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.