Terms table that has a "-" in the field splits the item up

[datreic]

Creating a "Terms" panel and setting the term to a field that contains "-" in the items causes them to either be broken into multiple rows (duplicated statistics) in the panel or to be removed from the panel

For exampe:

[randywallace]

This is a problem you have with your mapping in elasticsearch.

The default analyzer will split your fields by dash, among other characters; the solution is to either change the analyzer for that field, to disable it altogether, or to use a multi-field mapping to handle both analyzed and non_analyzed fields (for which you should use the non-analyzed variant for the terms panel search). Reluctantly, this will likely require re-indexing your data for all given solutions.

Please refer to this for some tips on how to prevent this (and the extremely high possibility of heap spacing your elasticsearch datanodes): http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-facets-terms-facet.html#_memory_considerations_2

Since this is not a Kibana issue, @rashidkpc will likely close this ticket.

[samdoran]

I'm having the same issue and was wondering if it's Kibana or ES. Nice to know where to start looking.

[samdoran]

I found two awesome answers on this issue:
elasticsearch index template management
Logstash 1.3.1 Release

The short answer if you're using LS 1.3.1 or later is change your terms query to [field].raw and it will behave is expected. This was addressed using an index template that applies not_analyzed to the .raw fields. Very slick.

[fireflyk]

I met the same problem. Indeed, use xxxxx.raw as the key field.

[chrisspiegl]

As of logstash 1.4 this seems to no longer work.