Got doc.s in a v.6.8 cluster looking like these:
and are wondering how to discover/search for doc.s, which has a specific array element value.
Say logContext.processingIds[*]="some value"
as simple string search like logContext.processingIds:"some value" doesn't work.
TIA
"mappings" : {
"systemlog" : {
"_source" : {
"enabled" : true
},
"properties" : {
"hostName" : {
"fielddata" : "true",
"analyzer" : "ignore_lowercase",
"type" : "text"
},
"longText" : {
"fielddata" : "true",
"analyzer" : "ignore_lowercase",
"type" : "text"
},
"shortText" : {
"fielddata" : "true",
"analyzer" : "ignore_lowercase",
"type" : "text"
},
"otherValues" : {
"type" : "nested",
"properties" : {
"name" : {
"fielddata" : "true",
"analyzer" : "ignore_lowercase",
"type" : "text"
},
"value" : {
"fielddata" : "true",
"analyzer" : "ignore_lowercase",
"type" : "text"
}
}
},
"handled" : {
"type" : "boolean"
},
"handledUser" : {
"fielddata" : "true",
"analyzer" : "ignore_lowercase",
"type" : "text"
},
"logContext" : {
"type" : "nested",
"properties" : {
"valueListId" : {
"type" : "integer"
},
"routingId" : {
"type" : "integer"
},
"docStoreFileId" : {
"type" : "integer"
},
"processingIds" : {
"fielddata" : "true",
"analyzer" : "ignore_lowercase",
"type" : "text"
},
"workAppId" : {
"type" : "integer"
},
"specialFolderId" : {
"type" : "integer"
},
"processConfigId" : {
"type" : "integer"
}
}
},
"id" : {
"fielddata" : "true",
"analyzer" : "ignore_lowercase",
"type" : "text"
},
"category" : {
"fielddata" : "true",
"analyzer" : "ignore_lowercase",
"type" : "text"
},
"when" : {
"type" : "date"
},
"value" : {
"type" : "integer"
}
}
}
},
@stefws I think the problem is that you're trying to access data within nested fields - Nested field type | Elasticsearch Guide [8.0] | Elastic
Yes, correctly. Is this not supported in Kibana until 7.6 or what?
@stefws Thats correct, although I'd do a test before you consider upgrading as nested field support is still incomplete.
Okay thanks, it's the plan to upgrade to v.7. soon anyway, so will properly have to wait for this before revisiting this. Remapping isn't an option as it's an embedded solution in an application. So we'll rather not tamper with mapping our self. Though we could dup indicies to our own custom and the remap data 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.