Access sub-fields in kibana

Elastic Stack Kibana
1

Hello,

In my index i have the field http.request.body.original (see also image below):

image
image1497×211 23.6 KB

As it can be seen tha value of that field is:

{"customerNr":"9203521","sendMethod":"TOUR","partialDelivery":false,"isTourTimetable":false,"deliveryAddressId":"8100000000000154802","items":[{"articleId":1001440486,"quantity":1},{"articleId":1001532184,"quantity":1}]}

And the mapping of that field is the following:

image
image1247×361 29.2 KB

I want to be able when i write the following query

http.request.method : "post" AND http.request.body.original.customerNr: "9203521"

To bring me all the records that the http.request.body.original field has foe which the customerNr is 9203521.

But that doesnt work as the image show below.

image
image1284×469 42.4 KB

What can i do in order to be able to access that sub-fields

"customerNr"
"sendMethod"
"partialDelivery"
"isTourTimetable"
"deliveryAddressId"
"items":[{"articleId":1001440486,"quantity":1},{"articleId":1001532184,"quantity":1}]}

that the http.request.body.original has?

Important note: The potential solution

http.request.method : "post" AND http.request.body.original: *9203521*

is not efficient for me since i want to be able to access the subfields and not to make just text search.

Thank you

2

As far as Elasticsearch is concerned, this field is just a string - it is not aware about the JSON structure within. I don't know what component in your system is sending data to Elasticsearch, but it includes something like this:

{
  "host.os.platform": "Linux",
  "http.request.body.original": "{...}"
}

You have to remove the quotes around that sub-object before sending data to Elasticsearch, otherwise it can't parse it to pick up the things inside. You can also solve this within Elasticsearch by defining an ingest pipeline and using the JSON processor: https://www.elastic.co/guide/en/elasticsearch/reference/current/json-processor.html

In every way you will have to re-index your data. Thinking about it it probably makes sense to solve this within your data source because http.request.body.original doesn't sound like it will be a valid object in every single case. You could try to parse it and it that fails put it in there as a string as a fallback.

1 Like
3

Thank you very much for your reply.

I will communicate with the dev team of my company and ask them to send that field not as a string.
Will let you know here when this happens. :slight_smile:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.