Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kibana using ".raw" field, when I'm telling it not to #1287

Closed
KhaoticMind opened this issue Jun 9, 2014 · 4 comments
Closed

Kibana using ".raw" field, when I'm telling it not to #1287

KhaoticMind opened this issue Jun 9, 2014 · 4 comments

Comments

@KhaoticMind
Copy link

Hey,
I'm using Kibana to visualize some OSSEC logs.
The problem I'm facing is that, when I setup a terms panel, and set the field to be "host" (for example), it is using "host.raw" in the query, as seen below.

  "facets": {
    "terms": {
      "terms": {
        "field": "host.raw",
        "size": 10,
        "order": "count",
        "exclude": []
      },
      "facet_filter": {
        "fquery": {
          "query": {

I'm using ES multifields to create the rawfield as bellow

"host" : {
         "norms" : {
              "enabled" : false
          },   
          "type" : "string",
          "fields" : {
           "raw" : {
                 "index" : "not_analyzed",
                  "ignore_above" : 256,
                   "type" : "string"
              }
         }
}

The problem here is that I've removed the multifield on some of my indexes and so the result from host.raw is completely off when compared to just host.

Any idea what might be wrong?
@batwad
Copy link

batwad commented Jul 30, 2014

I've noticed this behaviour myself and found it a bit weird. The terms panel looks for a "raw" field automatically it seems:
https://github.com/elasticsearch/kibana/blob/master/src/app/panels/terms/module.js#L155

I've removed the corresponding code from my local kibana installation and it uses the field I specify, leaving me in full control.

I can understand the reasoning behind doing this for the terms panel, but I would still rather be in control and be able to tell it to use the raw field if I want it to.

@rashidkpc
Copy link
Contributor

We've abandoned this behavior in Kibana 4, you're welcome to use .raw if you'd like, but we don't force it on you anymore.

@jasonrhaas
Copy link

@rashidkpc is there a way to allow kibana4 to recognize the .raw fields that Logstash generates?

@blevine
Copy link

blevine commented Apr 2, 2015

Same question as @jasonrhaas . I want to be able to use the raw fields as terms in an aggregation, but none of the *.raw fields I'm generating appear in the dropdown. I've confirmed that the .raw fields are actually generated and indexed by using them successfully in a query.

@enterstudio enterstudio mentioned this issue Jul 31, 2022
Open
This was referenced Jul 31, 2022
Open
Open
Open
@larrycameron80 larrycameron80 mentioned this issue Aug 1, 2022
Open
@snyk-bot snyk-bot mentioned this issue Aug 1, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@blevine @rashidkpc @KhaoticMind @jasonrhaas @batwad