I started indexing our elasticsearch slowlogs to our ELK stack and I'm seeing some strange behavior with the es_source field, which I'm trying to use in a visualization.
On the Discover page in kibana, I have a saved search with several hits that all contain a string field I named es_source. In that field are the values from the source section of the ES slowlogs. On the Visualize page however, if I create any visualization and try to use the es_source.raw field in terms, it only shows 4 results. The only difference I can see is that the 4 results that show up are a lot smaller than the results that don't show up. I set the source limit in elasticsearch at the default 1000 characters. Is there something in Kibana that would limit the Visualization results? Has anyone seen something like this before?