Why does this simple search in Kibana work?

smm · October 6, 2025, 9:30am

Hi there,

I defined this simple test document:

POST /logs-stefano/_doc?pipeline=syslog_deduplication
{
"@timestamp": "2025-10-06T09:00:00Z",
"host": "SERVER-A",
"message": "date=2025-05-02 time=10:38:00 devname=SERVER-A severity=info msg='Test syslog message nr 1'",
"severity": "info",
"facility": "local7",
"NEU": "Zusatzfeld"
}

In Kibana 8.18.6 I search like this:
severity: i*fo
and get as result what I defined above - 1 document.

My question:

Kibana shows for this single result document under ‘Document’ → ‘Table’ the type keyword for the severity field.

But why does it not show the type t for text? In the json view there is no such .keyword field for it. By the way I can use a wildcard in this field and get a result.

cheers!

**Attachments
**

{
  "_index": "logs-stefano",
  "_id": "6OWj7yIs9qQdYdBSMcMdaA==",
  "_version": 1,
  "_source": {
    "severity": "info",
    "@timestamp": "2025-10-06T09:00:00Z",
    "host": "SERVER-A",
    "message": "date=2025-05-02 time=10:38:00 devname=SERVER-A severity=info msg='Test syslog message nr 1'",
    "facility": "local7",
    "NEU": "Zusatzfeld"
  },
  "fields": {
    "severity": [
      "info"
    ],
    "@timestamp": [
      "2025-10-06T09:00:00.000Z"
    ],
    "NEU.keyword": [
      "Zusatzfeld"
    ],
    "host": [
      "SERVER-A"
    ],
    "message": [
      "date=2025-05-02 time=10:38:00 devname=SERVER-A severity=info msg='Test syslog message nr 1'"
    ],
    "facility": [
      "local7"
    ],
    "NEU": [
      "Zusatzfeld"
    ]
  }
}

RainTown · October 6, 2025, 10:53am

Can I suggest you combine your various posts into one post (use edit feature) delete the others, and think about writing a clearer question. Maybe with a screenshot?

Please also share the mapping for the index, see below.

When I create the document you shared, the fields (al of them) get defined as text with a field.keyword subfield. Obviously I also don't know whats in your syslog_deduplication pipeline.

GET /logs-test/_mapping
{
  "logs-test": {
    "mappings": {
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "NEU": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "facility": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "host": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "message": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "severity": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        }
      }
    }
  }
}

smm · October 7, 2025, 4:54am

Hi Kevin,

good points! …and thank you for testing it on your side.

Here are my results regarding the mapping:

GET /logs-stefano/_mapping

{
  "logs-stefano": {
    "mappings": {
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "NEU": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "facility": {
          "type": "keyword"
        },
        "host": {
          "type": "keyword"
        },
        "message": {
          "type": "text"
        },
        "severity": {
          "type": "keyword"
        }
      }
    }
  }
}

Looking at the mapping: severity is only of type ‘keyword’. But then why can I use a wildcard search in a keyword type field? I thought this is not possible.

kind regards
Stefano

Tortoise · October 7, 2025, 6:56am

Hello @smm

As you are searching it via Kibana (KQL) so it is able to fetch the record.

If we check the query executed by using inspect in Kibana it uses wildcard :

{
  "query": {
    "bool": {
      "must": [
        {
          "wildcard": {
            "agent.name": {
              "value": "j*va"
            }
          }
        }
      ]
    }
  }
}

If we execute the query via DSL it will not fetch records which is as per expectation of keyword field :

POST .ds-logs-apm.error-default-2025.09.18-000055/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "term": {
            "agent.name": "j*va"
          }
        }
      ]
    }
  }
}

No records

Thanks!!

Topic		Replies	Views
Keyword field doesn't show as type keyword in kibana Elasticsearch	1	493	May 23, 2018
Weird issue with keyword field Kibana	3	822	April 29, 2020
Elasticsearch - searching with "keyword" type don't work Elasticsearch	8	6055	March 2, 2018
Type keyword stills appearing as text Elasticsearch	2	372	February 13, 2019
Kibana 5.0 shows field type as string, not keyword: working as designed? Kibana	3	5349	December 26, 2016

Why does this simple search in Kibana work?

Related topics