I have an elastic schema which defines a field, action, as 'keyword'. However, when I query the mapping /flowlog-2022-10-18/_mapping, it returns the field as 'text'. I am not able to understand the output. Why does the type comes as 'text' and not as 'keyword'? What is the 'field' part in the mapping output? Why is there a 'keyword' part inside the 'field' part?
Excerpt from the schema
{
"index_patterns": [
"flowlog*",
"flowobsrv*"
],
"settings": {
"number_of_shards": 5,
"analysis": {
"normalizer": {
"lower": {
"type": "custom",
"filter": [
"lowercase"
]
}
}
}
},
"mappings": {
"properties": {
"id": {
"type": "keyword"
},
"action": {
"type": "keyword"
},
Excerpt from the mapping output
{
"flowlog-2022-10-18": {
"mappings": {
"properties": {
"action": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
Thank you.
Edit[To respond to @Val's question]
{
"1": {
"name": "flowlogtmplt",
"index_patterns": "[flowlog*, flowobsrv*]",
"order": "0",
"version": null,
"composed_of": ""
},
"14": {
"name": "flowlog",
"index_patterns": "[flowlog-*]",
"order": "0",
"version": null,
"composed_of": "[]"
},
}
CodePudding user response:
Since both templates have the same order value, one is probably overriding the other. My guess is that 14 is overriding 1.