Sort doesn't work on a "not_analyzed" field?

Elastic Stack Elasticsearch
1

I have a mapping http://pastebin.com/SQxpD2cn:

{
"default":{
"properties":{
"EVENT_KEY":{
"type":"multi_field",
"fields":{
"EVENT_KEY":{
"type":"string",
"index":"analyzed"
},
"not_analyzed":{
"type":"string",
"index":"not_analyzed"
}
}
},
"SYSTEM":{
"type":"multi_field",
"fields":{
"SYSTEM":{
"type":"string",
"index":"analyzed"
},
"not_analyzed":{
"type":"string",
"index":"not_analyzed"
}
}
},
"EVENT_TIME":{
"type":"multi_field",
"fields":{
"EVENT_TIME":{
"type":"string",
"index":"analyzed"
},
"not_analyzed":{
"type":"string",
"index":"not_analyzed"
}
}
},
"OUTCOME":{
"type":"multi_field",
"fields":{
"OUTCOME":{
"type":"string",
"index":"analyzed"
},
"not_analyzed":{
"type":"string",
"index":"not_analyzed"
}
}
},
"USER":{
"type":"multi_field",
"fields":{
"USER":{
"type":"string",
"index":"analyzed"
},
"not_analyzed":{
"type":"string",
"index":"not_analyzed"
}
}
}
}
}
}

When I try to search against the index (e.g.,
http://localhost:9200/indexName/_search) with thishttp://pastebin.com/LvfNHUNh
:

{
"sort" : [
"USER.not_analyzed" : { "order" : "desc" }
]
}

...the results don't actually come back sorted by USER.not_analyzed. I know
elasticsearch knows the field is in there, because I search on gibberish -
e.g., "USER.not_there" - I get an error response. Can someone tell me what
I'm doing wrong?

2

It's worth noting: the search does not fail. It returns data from the
index, but does so without the sorting applied.

3

Just as an update: the issue turned out to be that my mapping was not named
the same as the document in which the events were being stored. While, in
hindsight, this link appears obvious, it doesn't get explicitly called out
in the elasticsearch documentation.

4

Josh, could you please elaborate a little more on the exact change you had
to make to you mapping to make it work. perhaps post the mapping that works
for you so we can see the cahnge. apologies for the basic nature of the
question. am new to this and facing a similar issue.

On Wednesday, 1 August 2012 16:27:09 UTC+1, Josh Hyde wrote:

Just as an update: the issue turned out to be that my mapping was not
named the same as the document in which the events were being stored.
While, in hindsight, this link appears obvious, it doesn't get explicitly
called out in the elasticsearch documentation.

5

Bear with me, as I'll be reconstituting JSON from memory, and I'm not
really the most proficient at either of those things.

Our documents were being created with a name of "events". Because I was
submitting a mapping named "default", our mappings for the index ended up
looking something like:

{
"default":{
"properties":{
"EVENT_KEY":{
"type":"multi_field",
"fields":{
"EVENT_KEY":{
"type":"string",
"index":"analyzed"
},
"not_analyzed":{
"type":"string",
"index":"not_analyzed"
}
}
},
"SYSTEM":{
"type":"multi_field",
"fields":{
"SYSTEM":{
"type":"string",
"index":"analyzed"
},
"not_analyzed":{
"type":"string",
"index":"not_analyzed"
}
}
},
"EVENT_TIME":{
"type":"multi_field",
"fields":{
"EVENT_TIME":{
"type":"string",
"index":"analyzed"
},
"not_analyzed":{
"type":"string",
"index":"not_analyzed"
}
}
},
"OUTCOME":{
"type":"multi_field",
"fields":{
"OUTCOME":{
"type":"string",
"index":"analyzed"
},
"not_analyzed":{
"type":"string",
"index":"not_analyzed"
}
}
},
"USER":{
"type":"multi_field",
"fields":{
"USER":{
"type":"string",
"index":"analyzed"
},
"not_analyzed":{
"type":"string",
"index":"not_analyzed"
}
}
}
}
},
"events":{
"properties":{
"EVENT_KEY":{
"type":"string"
},
"SYSTEM":{
"type":"string"
},
"EVENT_TIME":{
"type":"string"
},
"OUTCOME":{
"type":"string"
},
"USER":{
"type":"string"
}
}
}
}

Because the actual data was stored in the "events" document, trying to sort
on "default.EVENT_KEY.not_analyzed", while it did not error, couldn't be
applied to a different document, which explains why the sorting just didn't
work.