Elasticsearch - Object or Array Datatype

NerdSec · September 13, 2017, 6:31am

Hi,

I am parsing proxy logs. These contain around 3 IP address fields. I wish to create a structure, in which IP is the main field with multiple sub-fields present.

The final structure would be similar to something like this:

logs/proxy/1
    { 
      "device": "bluecoat",
      "category": "basic internet"
       "IP": { 
          "device": "10.0.0.1",
          "source":  "10.4.4.1"
          "destination": "104.49.44.1"
        }     
    }

What I want to understand is, which is the most effective way of achieving this in elasticsearch? The data is going to exponentially increase and if I have to query IP to find if x.x.x.x is present, which would be the most effective way of achieving this?

Arrays | Elasticsearch Guide [8.11] | Elastic
Object field type | Elasticsearch Guide [8.11] | Elastic

NerdSec · September 13, 2017, 8:14am

This is so obvious! I almost missed the fact that what I wish to achieve is the Nested DataType.

Accessing event data and fields | Logstash Reference [8.11] | Elastic
Nested field type | Elasticsearch Guide [8.11] | Elastic

system · October 11, 2017, 8:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.