I am experimenting with ECS - Elastic Common Schema. We need to highlight text search for the field error.stack_trace . This field is a multi-field mapped defined

Is it a Kibana expected behavior not to highlight multi-fields?

CodePudding user response：

wildcard type will be not available to search using full text query as mentioned in documentaion (it is part of keyword type family):

The wildcard field type is a specialized keyword field for unstructured machine-generated content you plan to search using grep-like wildcard and regexp queries.

So when you try below query it will not return result and this is the reason why it is not highlghting your stack_trace02 field in discover.

POST simple-index-01/_search
{
  "query": {
    "match": {
      "stack_trace02": "null"
    }
  }
}

But below query will give result:

{
  "query": {
    "wildcard": {
      "stack_trace02": {
        "value": "*null*"
      }
    }
  }
}

You can create index mapping something like below and your parent type field should text type:

PUT simple-index-01
{
  "mappings": {
    "properties": {
      "stack_trace01": {
        "type": "text"
      },
      "stack_trace02": {
        "fields": {
          "text": {
            "type": "wildcard"
          }
        },
        "type": "text"
      }
    }
  }
}

You can now use stack_trace02.wildcard when you want to search wildcard type of query.

There is already open issue on similar behaviour but it is not for wildcard type.