Unable to query .keyword fields from an index created using the default logstash template

GuillaumeN · May 2, 2017, 3:02am

Thanks for the link Aaron.

After doing some research in the documentation, here is the adapted version of a sample query I use and it's result:

[root@elk-1 ~]# curl localhost:9200/logstash*/logs/_search?pretty -d'
> {
>     "query": {
>         "constant_score" : {
>             "filter" : {
>                 "term" : { "syslog_message.keyword" : "-5-" }
>             }
>         }
>     }
> }'
{
  "took" : 25,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : null,
    "hits" : [ ]
  }
}

I've also tried using syslog_message, same result.

I'll update the thread title as this is more a query issue than empty fields.

Topic		Replies	Views
.keyword empty Elasticsearch	5	2931	November 1, 2017
GROK query generating .keyword fields in Elasticsearch Logstash	3	715	May 3, 2021
Mapping modifications in index template breaks search queries Elasticsearch	18	501	July 6, 2017
Why I am getting a double mapping for my keyword fields? Logstash	6	3183	April 26, 2017
Template Elasticsearch about data Elasticsearch	5	669	September 6, 2017

Unable to query .keyword fields from an index created using the default logstash template

Related topics