Strings shown as Multifields

KarlosA · September 30, 2021, 11:14am

Hello,

Using Elasticsearch 7.8.1 the following mapping:

"mappings": {
            "_routing": {
                "required": true 
            },
            "properties": {
                "qualified_host": {
                    "type": "keyword"
                },
                "username": {
                    "type": "keyword"
                },
                "message": {
                    "type": "text"
                },
                "ip": {
                    "type": "ip"
                },
                "user_agent": {
                    "type": "keyword"
                },
                "coordinates": {
                    "type": "geo_point"
                }
            }
}

Creates documents with this format (which is what I expect):

{
  "_index": "some-logstash-2021.09.30",
  "_type": "_doc",
  "_id": "eZQNZnsBc-iyvoWoEDgq",
  "_version": 1,
  "_score": null,
  "_routing": "domain.com",
  "_source": {
    "qualified_host": "domain.com",
    "username": "user",
    "ip": "192.1.1.0",
    "message": "the full message shows here",
    "coordinates": "16.426905,-90.0408",
    "user_agent": "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36\""
  }
}

After updating to Elasticsearch 7.13.3, and using the following mapping (slighly changed to add _source.enabled: true :

"mappings": {
            "_routing": {
                "required": true 
            },
            "_source": {
                "enabled": true
            },
            "properties": {
                "qualified_host": {
                    "type": "keyword"
                },
                "username": {
                    "type": "keyword"
                },
                "message": {
                    "type": "text"
                },
                "ip": {
                    "type": "ip"
                },
                "user_agent": {
                    "type": "keyword"
                },
                "coordinates": {
                    "type": "geo_point"
                }
            }
}

The documents show the String fields as Multifields (in this case an Array of Strings), doesn't show the _source attribute, but fields instead:

{
  "_index": "some-logstash-2021.09.30",
  "_type": "_doc",
  "_id": "WxBNNnwBcz9KRLEH6CQ7",
  "_version": 1,
  "_score": null,
  "_routing": "domain.com",
  "fields": {
    "qualified_host": [
        "domain.com"
    },
    "username": [
        "user"
    ],
    "ip": [
        "192.1.1.0"
    ],
    "message": [
        "the full message shows here",
    ],
    "coordinates": [
      {
        "coordinates": [
          16.426905,
          -90.0408
        ],
        "type": "Point"
      }
    ],
    "user_agent": [
        "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36\""
    ]
  }
}

I tried to reindex those documents doing slight changes into the destination template but the String fields still show up as Arrays of Strings.

What can be the problem?
Why those fields are now "casted" to Arrays of Strings instead of just plain Strings?

Thanks!

system · October 28, 2021, 11:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Field stored as "text" though it was mapped to "keyword" Elasticsearch	3	47	August 2, 2024
ES7.4 returns unsupported symbol in geohash Elasticsearch	2	2483	December 2, 2019
IP type being incorrectly indexed and mapped as string Elasticsearch	1	543	March 8, 2017
Dynamic template override for multi-fields Elasticsearch	1	963	June 7, 2017
Change mapping question Elasticsearch	3	1143	January 4, 2018

Strings shown as Multifields

Related topics