Hi @joniba,
Your guess is correct — it does have to do with mappings. Basically, the "message_field" mapping in the dynamic template is telling Elasticsearch to index the message field as type text. What this means is that the contents of the message field will be analyzed before they are indexed (as opposed to indexing the contents as-is, unanalyzed, as one large token).
The terms aggregation only operates on unanalyzed fields. And that's why you don't see message as an option when you select the terms aggregation.
Typically, when using Logstash, the contents of the message field tend to be a log line or some other long piece of text. It doesn't make sense usually to do aggregations (e.g. counts) on such long strings as-is. What sort of information is contained in your message field?
Shaunak