Hello,
I have recently updated my elastic stack from 7.8 to 7.9.2 I had to make something wrong because when I try to do some data visualization when I choose Field for aggregation i see source.ip.keyword instead of source.ip. The field destination.ip works properly. What have I made wrong how can i let kibana see source.ip field? I had checked the documents and they contains this field. I gather data via netflow filebeat module.
Hi @Adriann
seems like that field is not mapped as ip, but was mapped as text and by default also as keyword, could you please check the mappings of the source.ip and compare it to the one from the destination.ip?
GET your_index_name/_mapping/field/source.ip
GET your_index_name/_mapping/field/destination.ip
Hi,
thank you for your response. I have checked that for every index that I have and I see that the mapping is all the same. The weird thing is I can use source.ip in KQL query but have the issues mentioned above when I want to use it as a filed name for a chart.
{
"filebeat-netflow-2020.10.07-000001" : {
"mappings" : {
"source.ip" : {
"full_name" : "source.ip",
"mapping" : {
"ip" : {
"type" : "ip"
}
}
}
}
},
Refreshing the index pattern resolved the issue.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.