elasticsearch聚合时提示Fielddata is disabled on text fields by default或Set update_all_types to true to_es fielddata is disabled on text fields instead

执行以下es聚合语句：

GET threats/attack/_search
{
  "aggs": {
    "srcIp": {
      "terms": { "field": "info.src_ip"}
    }
  }
}
1
2
3
4
5
6
7
8

报错：

{
  "error": {
    "root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [info.src_ip] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
      }
    ],
    "type": "search_phase_execution_exception",
    "reason": "all shards failed",
    "phase": "query",
    "grouped": true,
    "failed_shards": [
      {
        "shard": 0,
        "index": "megacorp",
        "node": "jbFtoSVqQAqfYhE5uTBFvw",
        "reason": {
          "type": "illegal_argument_exception",
          "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [info.src_ip] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
        }
      }
    ]
  },
  "status": 400
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

原因：Elasticsearch 5.x版本以后，对排序和聚合等操作，用单独的数据结构(fielddata)缓存到内存里了，默认是不开启的，需要单独开启。

解决办法：

PUT threats/_mapping/attack
{
  "properties": {
    "info.src_ip": { 
      "type":     "text",
      "fielddata": true
    }
  }
}
1
2
3
4
5
6
7
8
9

执行命令后，返回acknowledge:true，代表成功

若报下面错误：
原因:因为字典名称重复使用所以要使用update_all_types 会更新所有字段名相同的属性

解决办法：加上?update_all_types即可，如下图：