ELK6.8 vs Search on object/array elements

Elastic Stack Kibana
1

Got doc.s in a v.6.8 cluster looking like these:

Screenshot 2022-02-25 at 15.20.03
Screenshot 2022-02-25 at 15.20.03812×1153 62.5 KB

and are wondering how to discover/search for doc.s, which has a specific array element value.
Say logContext.processingIds[*]="some value"
as simple string search like logContext.processingIds:"some value" doesn't work.

TIA

2

Hello @stefws

What is the mapping for the field? What does your query look like?

Thanks,
Matt

3 
    "mappings" : {
      "systemlog" : {
        "_source" : {
          "enabled" : true
        },
        "properties" : {
          "hostName" : {
            "fielddata" : "true",
            "analyzer" : "ignore_lowercase",
            "type" : "text"
          },
          "longText" : {
            "fielddata" : "true",
            "analyzer" : "ignore_lowercase",
            "type" : "text"
          },
          "shortText" : {
            "fielddata" : "true",
            "analyzer" : "ignore_lowercase",
            "type" : "text"
          },
          "otherValues" : {
            "type" : "nested",
            "properties" : {
              "name" : {
                "fielddata" : "true",
                "analyzer" : "ignore_lowercase",
                "type" : "text"
              },
              "value" : {
                "fielddata" : "true",
                "analyzer" : "ignore_lowercase",
                "type" : "text"
              }
            }
          },
          "handled" : {
            "type" : "boolean"
          },
          "handledUser" : {
            "fielddata" : "true",
            "analyzer" : "ignore_lowercase",
            "type" : "text"
          },
          "logContext" : {
            "type" : "nested",
            "properties" : {
              "valueListId" : {
                "type" : "integer"
              },
              "routingId" : {
                "type" : "integer"
              },
              "docStoreFileId" : {
                "type" : "integer"
              },
              "processingIds" : {
                "fielddata" : "true",
                "analyzer" : "ignore_lowercase",
                "type" : "text"
              },
              "workAppId" : {
                "type" : "integer"
              },
              "specialFolderId" : {
                "type" : "integer"
              },
              "processConfigId" : {
                "type" : "integer"
              }
            }
          },
          "id" : {
            "fielddata" : "true",
            "analyzer" : "ignore_lowercase",
            "type" : "text"
          },
          "category" : {
            "fielddata" : "true",
            "analyzer" : "ignore_lowercase",
            "type" : "text"
          },
          "when" : {
            "type" : "date"
          },
          "value" : {
            "type" : "integer"
          }
        }
      }
    },
4

@stefws I think the problem is that you're trying to access data within nested fields - Nested field type | Elasticsearch Guide [8.0] | Elastic

5

Yes, correctly. Is this not supported in Kibana until 7.6 or what?

6

@stefws Thats correct, although I'd do a test before you consider upgrading as nested field support is still incomplete.

7

Okay thanks, it's the plan to upgrade to v.7. soon anyway, so will properly have to wait for this before revisiting this. Remapping isn't an option as it's an embedded solution in an application. So we'll rather not tamper with mapping our self. Though we could dup indicies to our own custom and the remap data :slight_smile: