Exceeding maximum length of field in elasticsearch - error in kibana

Question

Discover: The length of [message] field of [-CSnZmwB_xkQcDCOrP1V] doc of [prod_logs] index has exceeded [1000000] - maximum allowed to be analyzed for highlighting. This maximum can be set by changing the [index.highlight.max_analyzed_offset] index level setting. For large texts, indexing with offsets or term vectors is recommended!

I get the above error in Kibana. I use ELK version 7.2.0. Answers / Suggestions are most welcome.

As the error message perfectly states you must adjust the setting 'index.highlight.max_analyzed_offset' of your index. Please provide us your index settings via GET /prod_logs/_settings. — apt-get_install_skill, Aug 06 '19 at 21:25

score 3 · Answer 1 · edited Jul 28 '20 at 10:01

You should change your mapping.If you can not update your mapping create a temp new index.And add term_vector your big text field

"mappings": { "properties": { "sample_field": { "type": "text", "term_vector": "with_positions_offsets" } } }

Then clone your data to new index.

POST /_reindex { "source": { "index": "old_index" }, "dest": { "index": "new_index" } }

Then use "unified" in highlight query.

"highlight": { "fields": { "textString": { "type": "unified" } }

like that.

Exceeding maximum length of field in elasticsearch - error in kibana

1 Answers1

Linked