字段和 field.关键字之间的区别

如果我将一个包含多个字段的文档添加到一个 Elasticsearch 索引中,当我在 Kibana 查看该文档时,每次都会得到两个相同的字段。他们中的一个会被召唤

some_field

另一个将被称为

some_field.keyword

这种行为从何而来? 它们之间有什么区别?

PS: 其中一个是可聚合的(不确定这意味着什么) ,另一个(没有关键字)是不可聚合的。

50948 次浏览
小开

Look at this issue. There is some explanation of your question in it. Roughly speaking some_field is analyzed and can be used for fulltext search. On the other hand some_field.keyword is not analyzed and can be used in term queries or in aggregation.

小开

Update : A short answer would be that type: text is analyzed, meaning it is broken up into distinct words when stored, and allows for free-text searches on one or more words in the field. The .keyword field takes the same input and keeps as one large string, meaning it can be aggregated on, and you can use wildcard searches on it. Aggregatable means you can use it in aggregations in elasticsearch, which resembles a sql group by if you are familiar with that. In Kibana you would probably use the .keyword field with aggregations to count distinct values etc.

Please take a look on this article about ABC0 vs. keyword.

Briefly: since Elasticsearch 5.0 string type was replaced by text and keyword types. Since then when you do not specify explicit mapping, for simple document with string:

{
"some_field": "string value"
}

below dynamic mapping will be created:

{
"some_field": {
"type" "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}

As a consequence, it will both be possible to perform full-text search on some_field, and keyword search and aggregations using the some_field.keyword field.

I hope this answers your question.

小开

I will try to answer your questions one by one. Where does this behavior come from? It is introduced in Elastic 5.0.

What is the difference between the two? some_field is used for full text search and some_field.keyword is used for keyword searching. Full text searching is used when we want to include individual tokens of a field's value to be included in search. For instance, if you are searching for all the hotel names that has "farm" in it, such as hay farm house, Windy harbour farm house etc.

Keyword searching is used when we want to include the whole value of the field in search and not individual tokens from the value. For eg, suppose you are indexing documents based on city field. Aggregating based on this field will have separate count for "new" and "york" instead of "new york" which is usually the expected behavior.

From Elastic 5.0 onwards, strings now will be mapped both as keyword and text by default.


提交答案