I'm trying to join 2 indexes through term join in Elastic Maps but I'm having trouble retrieving results when I use a "fieldName.keyword" field as the left source of the join, meanwhile I'm not having any trouble retrieving the expected results when assigning the .keyword field value to a scripted field and using that as the left source.
When inspecting the query I can see that the response from the server is the same for both requests.
Included are screenshots from the responses (using both fields as sources) and the scripted field definition so you can see that both fields should have the same information.
Term join using original field (fieldName.keyword):
It looks like the screen shot for host.keyword response is actually showing the response for scripted field hostname. You can tell by looking at the request description. The left source always says copt-fast-aldi*:hostname. I would expect one to include the text copt-fast-aldi*:host.keyword.
What does the left source look like? Is the left source returning results in both cases. If using a time filter, could you use an absolute time to ensure both cases are comparing the same things?
The left source is a network host identifier, in our mapping we have both text field and keyword. I applied an absolute time filter (April 15th 12am - April 22nd 12am) but the output is the same.
This is what the left source looks like under the discover tab with the same filters applied:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
