Two string fields, one with .text suffix

Rihards · August 9, 2024, 1:29pm

In Kibana, viewing security alerts, presumably from an Elastic-defined rule.
There are some fields that seem to be duplicated, just with a .text suffix added.

They both seem to be of the same type, "String field" (not allowed to include second sreenshot).

A guide at Opster (not allowed to link to it here) talks about key vs text fields, but there does not seem to be such a type difference here.

Is there another, more subtle field difference, or are they both indeed identical?

leandrojmp · August 9, 2024, 1:52pm

These aren't duplicated, they are multi-fields, both are string fields, but one is mapped as a keyword and the other is mapped as a match_only_text.

Multi-fields are used when you want to store the data in different ways, in this case the keyword field is used for keyword queries, with exact match, and the text field is used for full text queries.

Example for the shared document:

Query 1

process.executable: System32

Query 2

process.executable.text: System32

Query 1 would return nothing, but Query 2 would return this document.

Also, you can run aggregations and sortings on the keyword fields, but not on the text fields.

Not sure what the guide is saying, but I don't think there is any issue in sharing it here, Opster was acquired by Elastic last year.

It is this one?

Basically you map a field as being part of the keyword family when you will make queries using the full value, like usernames, hosts etc, and you map a field as being part of the text family when you want to do full queries searchs, like query for part of the string.

In the documentation of each one there are more explanation and use cases, this one is for keyword family and this one is for text family.

Rihards · August 9, 2024, 2:40pm

Thanks, that is the guide - maybe I was not allowed to link to it due to my account being fairly new still.

In the document view, both of those fields show up with the "t" icon, and mouseover for both gives "String field".
How can the keyword/text difference be observed?

Rihards · August 14, 2024, 6:51am

Apparently they are keyword vs text, just that this does not seem to be visible in the UI.

Via the API, field mapping detail can be retrieved, and this shows the difference.

GET /index/_mapping/field/field.name

{
  "index": {
    "mappings": {
      "field.name": {
        "full_name": "field.name",
        "mapping": {
          "name": {
            "type": "keyword",
            "ignore_above": 1024,
            "fields": {
              "text": {
                "type": "match_only_text"
              }
            }
          }
        }
      }
    }
  }
}

GET /index/_mapping/field/field.name.text

{
  "index": {
    "mappings": {
      "field.name.text": {
        "full_name": "field.name.text",
        "mapping": {
          "text": {
            "type": "match_only_text"
          }
        }
      }
    }
  }
}

Topic		Replies	Views
Duplicate field mapping in kibana with ".keyword" at the end Kibana	3	3193	November 20, 2019
Index Mapping -- Type: Text and Keyword vs Type: Keyword and Text Elasticsearch	1	886	August 16, 2018
[ES 5.0] Mapping issues Elasticsearch	2	1021	December 8, 2016
Two field mapppings created one field.keyword and another field Logstash	1	303	January 15, 2020
Field stored as "text" though it was mapped to "keyword" Elasticsearch	3	41	August 2, 2024

Two string fields, one with .text suffix

Related Topics