Elasticsearch Query-Variable for terms does not work

Hi everone,
I’ll try to describe my problem as structured as possible.

What I’m using:

  • grafana 7.5 (but got the same issue in 8.3.3)
  • elasticsearch 7.9.0
  • elasticsearch index with the following mapping of field ID:
"abcdefghijklmnop" : {
    "mappings" : {
      "properties" : {
        "ID" : {
          "type" : "keyword"
        },...
  • an indexed document with the field ID:
        "_index" : "abcdefghijklmnop",
        "_type" : "_doc",
        "_id" : "2022-01-07 11:53:40_2",
        "_score" : 1.0,
        "_source" : {
          "ID" : "2022-01-07 11:53:40_2",
          "startTime" : "2022-01-11 09:53:56+0100",
          "endTime" : "2022-01-11 09:59:29+0100",
          "type" : "Analysis"
        }

What I want to achieve:

  • Create a variable that contains all values of the field ID in all documents in the given index.
  • So with the example document above, the variable should contain “2022-01-07 11:53:40_2”

What I tried:

Problem:

  • The variable does not contain anything, as you see in the Preview section of the image above.

Notes:

  • A Query-Variable like {"find":"fields", "type":"keyword"} works as expected and gives me all fields that were mapped as keywords:
  • Removing the query part does not effect the result.

I googled the whole day and tried to use the examples and solutions of other threads, but nothing worked. I’m very thankfull for any advice.

Thanks in advance

1 Like

I have the exact same issue, if somebody could provide a solution that would be great!

I too facing exact issue. it will be great if somebody could share the solution

I’ve commented on @shubhamgupto’s issue in github here. The term search is also looking for a keyword field. I’m working on updating our docs to make this more clear.

The datasource returns an error in the background when the text field is used:

caused_by: {type: "illegal_argument_exception",…}
reason: "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [cluster-name] in order to load field data by uninverting the inverted index. Note that this can use significant memory."
type: "illegal_argument_exception"

Using the .keyword field, should work:

2 Likes

Hi melori,
thanks for the reply. But it seems like my issue has another cause, as the field I am querying is already mapped as keyword (see original post at the top).
Is my query maybe wrong somehow?

many greetings
Alex