Various metricbeat example visualizations don't work OOTB, missing .keyword in Group by field?

I'm using Debian to set up a test system, and the included visualizations, for example "Interfaces by Incoming traffic [Metricbeat System]", show no data by default. I had to set "Group by" to "system.network.name.keyword" instead of just "system.network.name" to show data and couldn't find anything regarding that issue. Is this normal?

That sounds like a bug in how metricbeat sets up the visualizations. I would suggest opening up an issue in the metricbeat github repo.

Are you sure? It isn't just Metricbeat, and I couldn't find any mention of system.network.name.keyword in the documentation.

The system.network.name field is being mapped as analyzed, and you can't group on analyzed fields. system.network.name.keyword is the raw not_analyzed field, and you can group on that. So, you either need to remap/reindex with system.network.name mapped as a keyword field (not_analyzed), or make the changes you have made above.

This has a pretty good explanation of the difference between analyzed and not_analyzed: https://www.elastic.co/guide/en/elasticsearch/guide/current/multi-fields.html

Thank you for explaining it, I'll open a bug for Metricbeat.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.