difference between a field and the field.keyword

ElasticsearchKibana

Elasticsearch Problem Overview

If I add a document with several fields to an Elasticsearch index, when I view it in Kibana, I get each time the same field twice. One of them will be called

some_field

and the other one will be called

some_field.keyword

Where does this behaviour come from and what is the difference between both of them?

PS: one of them is aggregatable (not sure what that means) and the other (without keyword) is not.

Elasticsearch Solutions

Solution 1 - Elasticsearch

Update : A short answer would be that type: text is analyzed, meaning it is broken up into distinct words when stored, and allows for free-text searches on one or more words in the field. The .keyword field takes the same input and keeps as one large string, meaning it can be aggregated on, and you can use wildcard searches on it. Aggregatable means you can use it in aggregations in elasticsearch, which resembles a sql group by if you are familiar with that. In Kibana you would probably use the .keyword field with aggregations to count distinct values etc.

Please take a look on this article about text vs. keyword.

Briefly: since Elasticsearch 5.0 string type was replaced by text and keyword types. Since then when you do not specify explicit mapping, for simple document with string:

{
  "some_field": "string value"
}

below dynamic mapping will be created:

{
  "some_field": {
    "type" "text",
    "fields": {
      "keyword": {
        "type": "keyword",
        "ignore_above": 256
      }
    }
  }
}

> As a consequence, it will both be possible to perform full-text search on some_field, and keyword search and aggregations using the some_field.keyword field.

I hope this answers your question.

Solution 2 - Elasticsearch

Look at this issue. There is some explanation of your question in it. Roughly speaking some_field is analyzed and can be used for fulltext search. On the other hand some_field.keyword is not analyzed and can be used in term queries or in aggregation.

Solution 3 - Elasticsearch

I will try to answer your questions one by one. Where does this behavior come from? It is introduced in Elastic 5.0.

What is the difference between the two? some_field is used for full text search and some_field.keyword is used for keyword searching. Full text searching is used when we want to include individual tokens of a field's value to be included in search. For instance, if you are searching for all the hotel names that has "farm" in it, such as hay farm house, Windy harbour farm house etc.

Keyword searching is used when we want to include the whole value of the field in search and not individual tokens from the value. For eg, suppose you are indexing documents based on city field. Aggregating based on this field will have separate count for "new" and "york" instead of "new york" which is usually the expected behavior.

From Elastic 5.0 onwards, strings now will be mapped both as keyword and text by default.

Categories
Recommended Elasticsearch Solutions

Previous Solution:

Why and when to use @JvmStatic with companion objects?

JavaAndroidKotlinKotlin Companion

Next Solution:

Execute a function after Flask returns response

PythonMultithreadingFlask

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestiontomakView Question on Stackoverflow
Solution 1 - ElasticsearchPiotr PradzynskiView Answer on Stackoverflow
Solution 2 - ElasticsearchbriarheartView Answer on Stackoverflow
Solution 3 - ElasticsearchAnkur SaoView Answer on Stackoverflow