Static Mappings Ignored by Some Fields While Others Work

Elastic Stack Elasticsearch
1

I'm fairly new to ELK stack so most likely I'm just doing something dumb. I've failed to find suitable Google results hence this post.

I have an Index Template configured with mappings, and I create a fresh index and store some documents in it, but only some fields get mapped properly (e.g. rule_name, message) while Kibana shows the other fields (e.g. tags, url) as "unknown fields".

2022-08-19_01-16
2022-08-19_01-16520×661 84.4 KB

2022-08-19_01-18
2022-08-19_01-18925×634 101 KB

Data JSON

{
  "_index": "logs-REMOVED.alerts",
  "_id": "QkQGs4IBxLlR-_ZMQ9ul",
  "_version": 1,
  "_score": 0,
  "_source": {
    "rule_id": "e9876de0-1ec9-11ed-8477-7b5684a31dfa",
    "rule_name": "Uptime Monitors (Networking)",
    "alert_id": "unifi_controller__https_unifi_REMOVED_com_REMOVED",
    "monitor_type": "http",
    "tags": "networking",
    "url": "https://unifi.REMOVED.com:8443",
    "message": "Get \"https://unifi.REMOVED.com:8443\": x509: certificate has expired or is not yet valid: current time 2022-08-19T01:14:21+03:00 is after 2022-03-16T09:25:02Z",
    "@timestamp": "2022-08-18T22:15:08.452Z"
  },
  "fields": {
    "rule_id": [
      "e9876de0-1ec9-11ed-8477-7b5684a31dfa"
    ],
    "@timestamp": [
      "2022-08-18T22:15:08.452Z"
    ],
    "rule_name": [
      "Uptime Monitors (Networking)"
    ],
    "alert_id": [
      "unifi_controller__https_unifi_REMOVED_com_8443_REMOVED"
    ],
    "alert_id.keyword": [
      "unifi_controller__https_unifi_REMOVED_com_8443_REMOVED"
    ],
    "message": [
      "Get \"https://unifi.REMOVED.com:8443\": x509: certificate has expired or is not yet valid: current time 2022-08-19T01:14:21+03:00 is after 2022-03-16T09:25:02Z"
    ],
    "monitor_type": [
      "http"
    ],
    "url": [
      "https://unifi.REMOVED.com:8443"
    ],
    "tags": [
      "networking"
    ]
  }
}
2

Hi @othman

What version of the stack? I ask because there is some different behavior with index patterns between now and a couple versions ago.

In Discover What happens if you do a Shift Reload... and / or did you go and delete and re-create the Index Pattern?

You're missing alert in your mapping BTW

3

Hi @stephenb

Thank you for the reply.

Forgot to state that I am using Elasticsearch/Kibana version 8.3.3.

Oh my, I just tried Shift + Reload as you suggested and it fixed the issue. Looks like it was just a browser caching issue, was driving me insane! Thank you very much!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.