elasticsearch
data_error
ai_generated
true
IllegalArgumentException: Field [user.name] of type [keyword] in index [logs-2025] has a length of [32768] which exceeds the maximum allowed length of [8191] for fielddata
ID: elasticsearch/field-capping-exception
92%Fix Rate
88%Confidence
1Evidence
2023-08-25First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| 7.16.0 | active | — | — | — |
| 8.0.0 | active | — | — | — |
| 8.11.0 | active | — | — | — |
Root Cause
A keyword field contains a value that exceeds the maximum length for fielddata loading, causing aggregation or sorting operations to fail.
generic中文
一个关键字字段包含的值超过了字段数据加载的最大长度,导致聚合或排序操作失败。
Official Documentation
https://www.elastic.co/guide/en/elasticsearch/reference/current/fielddata.htmlWorkarounds
-
85% success Change the field mapping from keyword to text with a keyword sub-field that has ignore_above set to a larger value or disabled: PUT /logs-2025/_mapping { 'properties': { 'user.name': { 'type': 'text', 'fields': { 'keyword': { 'type': 'keyword', 'ignore_above': 100000 } } } } }
Change the field mapping from keyword to text with a keyword sub-field that has ignore_above set to a larger value or disabled: PUT /logs-2025/_mapping { 'properties': { 'user.name': { 'type': 'text', 'fields': { 'keyword': { 'type': 'keyword', 'ignore_above': 100000 } } } } } -
80% success Use a runtime field to truncate the value before aggregation: GET /logs-2025/_search { 'runtime_mappings': { 'user.name.truncated': { 'type': 'keyword', 'script': 'emit(doc["user.name"].value.substring(0, 8000))' } }, 'aggs': { 'by_name': { 'terms': { 'field': 'user.name.truncated' } } } }
Use a runtime field to truncate the value before aggregation: GET /logs-2025/_search { 'runtime_mappings': { 'user.name.truncated': { 'type': 'keyword', 'script': 'emit(doc["user.name"].value.substring(0, 8000))' } }, 'aggs': { 'by_name': { 'terms': { 'field': 'user.name.truncated' } } } }
中文步骤
Change the field mapping from keyword to text with a keyword sub-field that has ignore_above set to a larger value or disabled: PUT /logs-2025/_mapping { 'properties': { 'user.name': { 'type': 'text', 'fields': { 'keyword': { 'type': 'keyword', 'ignore_above': 100000 } } } } }Use a runtime field to truncate the value before aggregation: GET /logs-2025/_search { 'runtime_mappings': { 'user.name.truncated': { 'type': 'keyword', 'script': 'emit(doc["user.name"].value.substring(0, 8000))' } }, 'aggs': { 'by_name': { 'terms': { 'field': 'user.name.truncated' } } } }
Dead Ends
Common approaches that don't work:
-
70% fail
Increasing the fielddata limit via indices.fielddata.cache.size only affects cache size, not the per-field length limit which is hardcoded.
-
90% fail
Reindexing the same data without changing the mapping or field type will reproduce the error.