I have following sample docs in Elasticsearch
[
{
"_index": "beatbox-2018.11.19",
"_source": {
"connection": "10",
"user": "op-dashboard",
"key": "monolith_connection_sniffer"
}
},
{
"_index": "beatbox-2018.11.19",
"_source": {
"connection": "10",
"user": "op-dashboard",
"key": "monolith_connection_sniffer"
}
}
]
When I query on user, I got expected result.
curl -X GET \
'http://127.0.0.1:9200/beatbox-2018.11.19/_search?q=user:op-dashboard'
In Grafana:
I was trying to add some query with Variable for user field.
{ "find": "terms", "field": "user" }
But I got tokenised values of user field.
`op`, `dashboard`
In background, following payload is sending for query
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"query_string": {
"analyze_wildcard": true,
"query": "*"
}
}
]
}
},
"aggs": {
"1": {
"terms": {
"field": "user",
"size": 500,
"order": {
"_term": "asc"
}
}
}
}
}
Query returns tokenised result. How can I stop it?
I have already tried with following template
{
"index_patterns": [
"beatbox*"
],
"mappings": {
"doc":
"properties": {
"user": {
"type": "text",
"fielddata": true,
"analyzer":"whitespace",
"search_analyzer": "whitespace"
}
}
}
}
}
And also with analyzer
{
"index": {
"analysis": {
"default": {
"analyzer": {
"analyzer_keyword": {
"tokenizer": "whitespace"
}
}
}
}
}
}
Mapping for index:
{
"beatbox-2018.11.19":{
"mappings":{
"doc":{
"_all":{
"enabled":false
},
"numeric_detection":true,
"properties":{
"connection":{
"type":"long"
},
"key":{
"type":"text",
"norms":false,
"index_options":"freqs"
},
"user":{
"type":"text",
"fielddata":true
}
}
}
}
}
}
Any help?
You should you Keyword Datatype of elasticsearch instead of text datatype in user fields as you are aggregating it.