Strings shown as Multifields

Elastic Stack Elasticsearch
1

Hello,

Using Elasticsearch 7.8.1 the following mapping:

"mappings": {
            "_routing": {
                "required": true 
            },
            "properties": {
                "qualified_host": {
                    "type": "keyword"
                },
                "username": {
                    "type": "keyword"
                },
                "message": {
                    "type": "text"
                },
                "ip": {
                    "type": "ip"
                },
                "user_agent": {
                    "type": "keyword"
                },
                "coordinates": {
                    "type": "geo_point"
                }
            }
}

Creates documents with this format (which is what I expect):

{
  "_index": "some-logstash-2021.09.30",
  "_type": "_doc",
  "_id": "eZQNZnsBc-iyvoWoEDgq",
  "_version": 1,
  "_score": null,
  "_routing": "domain.com",
  "_source": {
    "qualified_host": "domain.com",
    "username": "user",
    "ip": "192.1.1.0",
    "message": "the full message shows here",
    "coordinates": "16.426905,-90.0408",
    "user_agent": "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36\""
  }
}

After updating to Elasticsearch 7.13.3, and using the following mapping (slighly changed to add _source.enabled: true :

"mappings": {
            "_routing": {
                "required": true 
            },
            "_source": {
                "enabled": true
            },
            "properties": {
                "qualified_host": {
                    "type": "keyword"
                },
                "username": {
                    "type": "keyword"
                },
                "message": {
                    "type": "text"
                },
                "ip": {
                    "type": "ip"
                },
                "user_agent": {
                    "type": "keyword"
                },
                "coordinates": {
                    "type": "geo_point"
                }
            }
}

The documents show the String fields as Multifields (in this case an Array of Strings), doesn't show the _source attribute, but fields instead:

{
  "_index": "some-logstash-2021.09.30",
  "_type": "_doc",
  "_id": "WxBNNnwBcz9KRLEH6CQ7",
  "_version": 1,
  "_score": null,
  "_routing": "domain.com",
  "fields": {
    "qualified_host": [
        "domain.com"
    },
    "username": [
        "user"
    ],
    "ip": [
        "192.1.1.0"
    ],
    "message": [
        "the full message shows here",
    ],
    "coordinates": [
      {
        "coordinates": [
          16.426905,
          -90.0408
        ],
        "type": "Point"
      }
    ],
    "user_agent": [
        "\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36\""
    ]
  }
}

I tried to reindex those documents doing slight changes into the destination template but the String fields still show up as Arrays of Strings.

What can be the problem?
Why those fields are now "casted" to Arrays of Strings instead of just plain Strings?

Thanks!

3 Likes
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.