Is there a way to get those up down arrows next to field name in Kibana so I could sort by small strings in that field.
Seems pretty trivial but I can't find a way.
Thought it was done adding "fielddata" but still no success.
Hi Marin,
What version of Kibana are you using?
Are you taking about this sort in the Discover doc table?
Regards,
Lee
Hi LeeDr
Version is 6.0.0 from stack-docker image.
I have loaded the data with filebeats to logstash parsed it and sent to elastic.
Fields that are converted to timestamp and integer are sortable in the way you presented.
However, with a text field, I haven't managed to get what you got with yours geo.src.
I am stuck at this for some time now. There is a quite a list of things I tried.
It is not easy to search for a solution here.
How I got to it.
I cloned elastic docker image
for simplicity commented out everything but elasticsearch, logstash and kibana, including audit and env related to it.
I added ports to kibana and logstash to be seen outside 5601, 5044(beats).
added grok to logstash.conf similar to this one:
grok {
match => { "message" => "a\[%{WORD:ab_a}\] b\[%{NUMBER:ab_b}\]" }
add_field => { "log_type" => "ab" }
}
and sent logs to logstash that were parsed and now can be seen in kibana.
Hi Marin,
This is a confusing topic even to me and I've been working on Kibana for over 2 years. But here's the issue.
It's all about the mapping of the field. Strings can be loaded into Elasticsearch as 2 different types text and keyword and they are commonly stored both ways. For example, in filebeat you should have beat.name and it should be sortable;
If we go to the Dev Console and do a GET on the filebeat index mapping we see that beat.name is
"type": "keyword". The fact that it's a keyword makes it sortable.
But if I look at logstash host field, I see it's not sortable. So let's go look at that mapping.
Here we see that host is "type": "text" which is not sortable. But below that there is a "fields" section with keyword of type: keyword.
If we go back to Discover and click the little settings gear in the field list, we can uncheck Hide missing fields. Now we see the host.keyword field.
We can add it to the doc view, and we'll see the sort arrow, but there won't be any data in it 
That's because the Discover tab in Kibana only shows data that is in the source. And since this field was initially a text type, and the keyword is a derived type it doesn't work in Discover.
So for cases where you need to be able to sort, you need that field to be created as a keyword, and it could potentially have a derived text type.
So this;
"address_full": {
"type": "keyword",
"fields": {
"search": {
"type": "text",
"fielddata": true
}
}
}
Instead of this:
"address_full": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
You might be able to change the mapping so that you have the keyword field first, and the text field (if needed) as a derived type. This might require a reindex of the data. Here's a blog post about doing that;
https://www.elastic.co/blog/changing-mapping-with-zero-downtime
3 Likes
Thanks, this was confusing for me also.
Because in doc about discovery it said that all indexed fields are sortable.
And in automatic index generation that mapping is automatically generated.
I did find a word or 2 about text and keyword but wasn't able to write that exact mapping.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.