Issue:
For example there is field category.
If fitler using event.category , will get result.
But if using event.category.keyword, will not get result.
1) Check the mapping
GET logs-*/_mapping
"event": {
"properties": {
"action": {
"type": "keyword",
"ignore_above": 1024
},
"agent_id_status": {
"type": "keyword",
"ignore_above": 1024
},
"category": {
"type": "keyword",
"ignore_above": 1024
},
"code": {
"type": "keyword",
"ignore_above": 1024
},
"created": {
"type": "date"
}
}
Look for category:
-
If you see
"type": "keyword"→ the field is already keyword. Usecategory(notcategory.keyword). -
If you see
"type": "text"and no"fields": { "keyword": ... }→ there is no.keywordsubfield. -
If you see a subfield:
"category": {
"type": "text",
"fields": {
"keyword": { "type": "keyword", "ignore_above": 256 }
}
}
Be aware ofignore_above: strings longer than that number are not indexed on.keyword, which can yield 0 hits oncategory.keywordwhilecategory(text) still matches.
No comments:
Post a Comment
Terima kasih