Why are *.raw fields empty in Kibana?

Question

With a standard configuration of ELK stack (deviant/docker-elk)

and the template http://localhost:9200/logstash-alimentaris/_mapping/?pretty=true set to:

{
   "string_fields": {
      "mapping": {
         "fielddata": {},
         "index": "analyzed",
         "omit_norms": true,
         "type": "string",
         "fields": {
            "raw": {
               "ignore_above": 256,
               "index": "not_analyzed",
               "type": "string",
               "doc_values": true
            }
         }
      },
      "match": "*",
      "match_mapping_type": "string"
   }
}

In Kibana all raw fields are empty. What are some possibilities to investigate what hinders Elasticsearch to fill the raw fields? One possibility is to create a custom template: Change default mapping of string to "not analyzed" in Elasticsearch But, it is documented that the raw index works out of the box, and it would be in many cases better to stick with the default configuration. What are possible solutions, hints?

so the answer is that they can be used for visualization but in kibana>discover they can't show up — Roland Kofler
That's correct, they don't show in the Discover tab because there's no added value in displaying them since their content would be exactly the same as the main field. As you've seen, though, they come in handy in visualization, especially when building terms aggregations. — Val

Roland Kofler Roland Kofler · Accepted Answer · 2016-01-18T06:54:43

The logic in Kibana is to not show the raw variables in the discover pane. They show up only if one selects "show missing fields", and then they are represented as empty. In the visualizations one can and should use the .raw fields in most of the aggregations.

Why are *.raw fields empty in Kibana?

1 Answers