Sorry for my confusion, reading on ES keyword type:
A field to index structured content such as email addresses, hostnames, status codes, zip codes or tags.
They are typically used for filtering (Find me all blog posts where status is published), for sorting, and for aggregations. Keyword fields are only searchable by their exact value.
Our indexes hold many structured fields exactly for the purpose of sorting/aggregating, but our mapping stems from the 2.x era hence got none of them marked as keywords but rather strings or numbers. Would it in ES 5.x now be necessary with keyword field for grafana to query with aggregation on a structured field ‘host’ like:
‘host’ been mapped just as a string field currently.
If we changed such fields to keyword type rather than string, would we still be able then to query on regexp of such, eg. host:/hostname./ when ES doc says:
Keyword fields are only searchable by their exact value
Ok, changing group-by aggregation to eg. host.keyword (without having defined host field as such in ES index) I can then see some data in grafana, only latest index after 01:00 last night seems to round value to integers rather than floats as yesterday index created by ES 2.4. Wondering what’s changed…
Also why would Max aggregation not show when Count does in below queries?