Hi everyone,
Can someone help me understand the fundamental differences between a 'flattened' field type and an 'object' field type with subobjects=false? AIUI, everything under a 'flattened' object is indexed as a keyword whereas perhaps objects with no field subobjects support numeric, etc types in the subkeys, plus it appears keys in a flattened field are more limited with respect to the types of queries they support. There may also be a difference in terms of tooling support for each type (e.g. Kibana dashboards & rules)?
For context, right now I am trying to solve an ingest problem where we have a lot of dynamic labels in log messages, some of which contain dots leading to mapping conflicts (e.g. label.x="abc" and label.x.y="xyz"). From what I can gather, making labels a flattened field should do the trick but in my research I came across the new subobjects flag in ES8 which also seems like it would work. I'm having a hard time wrapping my head around exactly when it makes sense to use one vs the other.