ElasticSearch Choosing Field Mappings

Published on Author gryzli

If you want to spend good time with ElasticSearch you must choose very carefully your elasticsearch index field mappings. Proper field mappings are extremely important in order to be able to search properly inside your data.

Keep in mind that ElasticSearch differs a lot between major versions. The current article is written for the current stable ES version , which is 6.5.x .

Difference Between Keyword And Text DataTypes For Storing Your Data

Before going into some real-life examples for using different data-types, there are some things to know about the most used ES data types for storing data.

 

When to use “keyword” field datatype in ElasticSearch

Keyword should be use in the following situations:

  • Keywords are stored as they are inside the Lucene Index
  • Keyword can be used for filtering and aggregations – That is really important if you try to do things like ‘GROUP BY’  or “WHERE id=’5′”
  • Keywords could be sarched with Term-Level Queries like: range, exists, regexp, wildcard

Information about all the term-level queries supported by ES could be checked here:

https://www.elastic.co/guide/en/elasticsearch/reference/current/term-level-queries.html

 

Summary:  If you are not going to use the field for full-text search and you wont store very big chunks of data inside this field, keyword is your datatype to go with.

 

When to use “text” field datatype in ElasticSearch

Text datatype should be used when you plan to do full-text search on this field.

Also it could be used for storing big chunks of information like multiline logs , text files or scripts and be able to search there.

 

How To Store IP Addresses Inside ElasticSearch

Most people are using ES for storing network-related data (logs, metrics or something similar), which almost 100% will contain IP addresses.

You could store your IP address in both keyword, text or ip datatype, but most of the times you will choose IP Datatype or Keyword Datatype

 

Storing IP Addresses As Keyword Datatype

The good point of storing your IP inside keyword field, is that you will be able to execute queries that are using regexp or wildcards like:

 

# Give me all addresses beginning with 192.168, 192.169

 

…or with wildcard…

# Give me all addresses beginning with 10.

 

 

Storing IP Addresses As IP Datatype

If you are storing your ip addresses as IP Datatype you will have the following benefits:

  • Elastic will validate if your IP is complying IPv4 / IPv6
  • You would be able to search by CIDR for ip addresses
  • Faster search times than keyword

 

If you used ip for your mapping, you would be able to issue the following query :

 

Storing IP Addresses As Both IP/Keyword

This is the best of the two options above. By having your IP as both keyword and ip , you will get the benefits of both datatypes. The only drawback is that each record, will take bit more storage.

By using the “fields” mapping setting, you are able to tell ElasticSearch to automatically copy the value of one field into another field of different mapping type.

No need to create two mappings for the different types.

Here is how such a definition looks like (inside Kibana):

With the mapping above, you could access your ip as IP (my_test_index->ip) or Keyword (my_test_index->ip.keyword).

 

 

How To Store Binary Files Inside ElasticSearch

If you are planning to store some binary data inside your ES, for example uploads, user files, images or things like that, you wont be able to store them in their original format.

Before storing binary content you will need to encode it , preferably in base64.

After you have encoded your binary content, you can store it either in “text” or “binary” datatype field.

 

More about binary datatype could be found in Elastic Docs:

https://www.elastic.co/guide/en/elasticsearch/reference/current/binary.html

 

How To Store Geo Coordinates Inside ElasticSearch

If you plan to use Kibana visualizations to draw your data on a Geo Map, you will need to have your Geo coordinates stored in a special field map , called: “geo_point” datatype.

There is very well written example of how to use geo_point by Elastic

https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html

 

How To Store Arrays Inside ElasticSearch

Currently there is no separate array datatype for arrays inside Elastic. Every field could have multiple values in the form of array.

Here is an example of this

 

Now if we search the index, will get the following:

 

What happens here is that Elastic will store each of the array values as a separate fully-functional value. So when you execute search based on some criteria, each of the array values will be iterated and matched to your criteria.

 

How To Store Hash (Associative Arrays) Inside ElasticSearch

 

The easiest way to explain when you may need to use hashes or associative arrays inside Elastic is by example …of course.

 

Let say you are inserting document per HTTP query inside your index. So you are actually putting something like that:

 

Time has passed, and you decided, that you want to parse the “Cookie” HTTP header, and store each of the cookies as a separate key/value pair inside your Index.

Cookie headers look like this:

Cookie: name1=value1 ; name2=value2 ; name3=value3 ……

 

After parsing your Cookie field, it is very likely that you will end up with Index inputs like those (at least I did it):

 

“$cookie_name” is random “name” extracted from your Cookie header.

Because $cookie_name is “random“, Elastic will apply dynamic field mapping for each “$cookie*_name”  you insert in the index.

This design has one HUGE DRAWBACK/PROBLEM  it will lead you to the famous term “ElasticSearch Mapping Explosion“.

There is nice blog post on elastic blog about this:

https://www.elastic.co/blog/found-crash-elasticsearch

 

This will happen because during the time, you will create more and more new/unique fields to your Index Mapping, that at certain point will fulfill your node’s memory.

 

How To Prevent Mapping Explosion In ElasaticSearch ?

or The right way of storing hash/associative array/ structures inside ElasticSearch …

 

1) First create your field as “nested” data type

 

 

2) Put your data inside your nested structure

What you may noticed already is that your field names are always the same (name and value) and only the values inside are changing, which is perfectly normal.

 

3) Finally, let’s try to search by cookie_name or cookie_value