Unanalyzed fields


(Oscar Crespo Couoh) #1

hi, i need help to correct kibana field. when I try to visualizing the fields, shown me the following warning:

"Careful! The field contains Analyzed selected strings. Analyzed strings are highly unique and can use a lot of memory to visualize. Values: such as bar will be foo-foo and bar broken into. See Core Mapping Types for more information on setting esta field Analyzed as not "

someone know how fix this problem?


(Shaunak Kashyap) #2

Can you share the Elasticsearch mapping for the index pattern you are using in Kibana? And what is the name of the field you are trying to use here?


(Oscar Crespo Couoh) #3

Well, all fields have this warning....

i'll upload the notepad because they are many lines

txt of mapping


(Shaunak Kashyap) #4

It looks like you need to index the string fields you want to use in Kibana as not_analyzed. You can do this in one of two ways:

  • Change each string field mapping to { "type": "string", "index": "not_analyzed" }. Then you can use these fields in Kibana.

OR

  • Change each string field mapping to { "type": "string", "fields": { "raw": { "type": "string", "index": "not_analyzed" } } }. This will analyze the original field (say foo) in the index but also create a new field, foo.raw which will not be analyzed. You would then use the foo.raw field in Kibana.

Either way, you will probably want to reindex your data after updating the mapping so the changes are applied to old data as well as future data.

Also, it looks like you are using time-based indices (based on the index names, firewall-YYYY.MM.DD). This means you are probably using an index template. Make sure any mapping changes you make are made to that template.


(Oscar Crespo Couoh) #5

thank you, solved


(system) #6