Elasticsearch - Object or Array Datatype

NerdSec · September 13, 2017, 6:31am

Hi,

I am parsing proxy logs. These contain around 3 IP address fields. I wish to create a structure, in which IP is the main field with multiple sub-fields present.

The final structure would be similar to something like this:

logs/proxy/1
    { 
      "device": "bluecoat",
      "category": "basic internet"
       "IP": { 
          "device": "10.0.0.1",
          "source":  "10.4.4.1"
          "destination": "104.49.44.1"
        }     
    }

What I want to understand is, which is the most effective way of achieving this in elasticsearch? The data is going to exponentially increase and if I have to query IP to find if x.x.x.x is present, which would be the most effective way of achieving this?

Arrays | Elasticsearch Guide [8.11] | Elastic
Object field type | Elasticsearch Guide [8.11] | Elastic

NerdSec · September 13, 2017, 8:14am

This is so obvious! I almost missed the fact that what I wish to achieve is the Nested DataType.

Accessing event data and fields | Logstash Reference [8.11] | Elastic
Nested field type | Elasticsearch Guide [8.11] | Elastic

system · October 11, 2017, 8:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash - Nested fields Logstash	9	25033	October 12, 2017
Logstash/Elasticsearch - tempate for array of ips from web log? Elasticsearch	2	1596	July 5, 2017
Convert string to array for new and old data in an index Logstash	1	23	August 21, 2024
Can't properly map array of IPv4 from Logstash to ES Elasticsearch	6	1336	July 5, 2017
Convert a field datatype to object or nested in logstash Logstash	7	5274	July 6, 2017

Elasticsearch - Object or Array Datatype

Related Topics