When dealing with lots of data and lots of users, having the ignore_malformed option is great!
And using it in combination with _ignored field can give a lot of information about what is wrong with the data.
But unfortunately we can't aggregate on it, so it's hard to give an overview of which fields had issues in the last X hours.
I think it would be very useful to add .keyword for _ignored field, or make the _ignored field tokenised.
When dealing with lots of data and lots of users, having the
ignore_malformedoption is great!And using it in combination with _ignored field can give a lot of information about what is wrong with the data.
But unfortunately we can't aggregate on it, so it's hard to give an overview of which fields had issues in the last X hours.
I think it would be very useful to add .keyword for _ignored field, or make the _ignored field tokenised.