I am trying to build a central inventory index pulling data from a variety of different places, this means that there are a few aggregations on the way to the final index, which leads to lovely field names such as “wmi.wmi.serial_number.serial.SerialNumber.keyword”. As well as being ugly this causes issues trying to create Vega visualisations. I’ve tried generating ingest pipelines, but they aren’t finding the field to rename. My best understanding of the cause of the issue is that the some of the dots in the name of the field are nesting levels and some are just part of the name and therefore the whole thing isn’t being parsed properly. Are there better ways of going about this, or a way of getting the pipeline to play nicely?For a bit of detail. The original document has the serial number stored as:
"SerialNumber": "xxxxxx"
It then runs through an aggregation like so
"serial_number": {
"filter": {
"term": {
"class.keyword": "Win32_BaseBoard"
}
},
"aggs": {
"serial": {
"top_metrics": {
"metrics": [
{
"field": "SerialNumber.keyword"
}
],
"sort": {
"@timestamp": "desc"
}
}
}
}
}
Which then means it’s stored as below:
"serial_number": {
"serial": {
"SerialNumber.keyword": "xxxxxxx"
}
},
the aim is to change this so in the result it’s just stored as
”uniqueid” : “xxxxx”
My current attempt at an ingest pipeline is as below, and results in creating an empty uniqueid field and leaving the SN as it was without the ingest pipeline
"processors": [
{
"set": {
"field": "uniqueid",
"value": "{{{_source.serial_number.serial.SerialNumber.keyword}}}"
}
}
]
Any help would be much appreciated