Two string fields, one with .text suffix

In Kibana, viewing security alerts, presumably from an Elastic-defined rule.
There are some fields that seem to be duplicated, just with a .text suffix added.
image

They both seem to be of the same type, "String field" (not allowed to include second sreenshot).

A guide at Opster (not allowed to link to it here) talks about key vs text fields, but there does not seem to be such a type difference here.

Is there another, more subtle field difference, or are they both indeed identical?

These aren't duplicated, they are multi-fields, both are string fields, but one is mapped as a keyword and the other is mapped as a match_only_text.

Multi-fields are used when you want to store the data in different ways, in this case the keyword field is used for keyword queries, with exact match, and the text field is used for full text queries.

Example for the shared document:

Query 1

process.executable: System32

Query 2

process.executable.text: System32

Query 1 would return nothing, but Query 2 would return this document.

Also, you can run aggregations and sortings on the keyword fields, but not on the text fields.

Not sure what the guide is saying, but I don't think there is any issue in sharing it here, Opster was acquired by Elastic last year.

It is this one?

Basically you map a field as being part of the keyword family when you will make queries using the full value, like usernames, hosts etc, and you map a field as being part of the text family when you want to do full queries searchs, like query for part of the string.

In the documentation of each one there are more explanation and use cases, this one is for keyword family and this one is for text family.

Thanks, that is the guide - maybe I was not allowed to link to it due to my account being fairly new still.

In the document view, both of those fields show up with the "t" icon, and mouseover for both gives "String field".
How can the keyword/text difference be observed?

Apparently they are keyword vs text, just that this does not seem to be visible in the UI.

Via the API, field mapping detail can be retrieved, and this shows the difference.

GET /index/_mapping/field/field.name

{
  "index": {
    "mappings": {
      "field.name": {
        "full_name": "field.name",
        "mapping": {
          "name": {
            "type": "keyword",
            "ignore_above": 1024,
            "fields": {
              "text": {
                "type": "match_only_text"
              }
            }
          }
        }
      }
    }
  }
}

GET /index/_mapping/field/field.name.text

{
  "index": {
    "mappings": {
      "field.name.text": {
        "full_name": "field.name.text",
        "mapping": {
          "text": {
            "type": "match_only_text"
          }
        }
      }
    }
  }
}