Currently the fields "message", "type", and "source" are string fields which the ES indexer will split. This is great when searching for individual words (i.e. how many errors happened with the phrase "was not found"), but this will not allow you to do an aggregation on all alerts with the message ""The controller for path '/foo' was not found or does not implement IController."
In order to do aggregations on the fields they must be a multi-fields in ES.
Currently the fields "message", "type", and "source" are string fields which the ES indexer will split. This is great when searching for individual words (i.e. how many errors happened with the phrase "was not found"), but this will not allow you to do an aggregation on all alerts with the message ""The controller for path '/foo' was not found or does not implement IController."
In order to do aggregations on the fields they must be a multi-fields in ES.