[SOLVED] Raw field

Elastic Stack Elasticsearch
1

Hi all,

I have a field that I analyze but I want to keep it to a single string too.

To deal with that I use the nested field "raw" as below:

"mappings" : {
"my_log" : {
"_all": {
"enabled": false
},
"properties" : {
"@source_host" : {
"type" : "string",
"index" : "analyzed",
"analyzer" : "custom-analyzer",
"fields": {
"raw": {
"type": "string",
"index": "not_analyzed"
}
}
},
...

When I make a search, I didn't get the field "@source_host.raw":

curl -XGET localhost:9200/log/my_log/_search?pretty
"hits" : {
    "total" : 57937,
    "max_score" : 1.0,
    "hits" : [ {
      "_index" : "log",
      "_type" : "my_log",
      "_id" : "AVR7oRjdhtVrl161Rr1y",
      "_score" : 1.0,
      "_source" : {
        "message" : "2016-05-04T13:55:51+02:00 10.126.14.137 err 2016 May  4 13:55:51.905 CEST: %ETHPORT-3-IF_UP: Interface Ethernet103/1/16
        "@version" : "1",
        "@timestamp" : "2016-05-04T11:55:51.905Z",
        "host" : "127.0.0.1:34439",
        "type" : "test_log",
        "syslog_host_time" : "2016-05-04T13:55:51+02:00",
        "client" : "192.168.1.1",
        "severity" : "err",
        "client_date" : "2016 May  4 13:55:51.905 CEST",
        "facility" : "ETHPORT",
        "int_severity" : "3",
        "mnemonic" : "IF_UP",
        "short_message" : "Interface Ethernet103/1/16 is up in mode access",
        "tags" : [ "test-log" ],
        "@source_host" : "test-toto-1.fr.prs.corp"
      }

Do you have any idea why ?

Thanks in advance,
Alex

2

I found why, I didn't read the offical doc in depth.

Regarding the doc: https://www.elastic.co/guide/en/elasticsearch/reference/2.3/multi-fields.html

Multi-fields do not change the original _source field

That's why I didn't get the nested field but I can make a search on it.

Have a nice day,
Alex