Handle Nested data in elasticsearch

Elastic Stack Elasticsearch
1

Hi All,

I have a json Input file where I have a field namely error. this error is basically nested and has 3 sub-fields namely error.message, error.stacktrace and error.class. Currently i am able to use filters with these 3 fields, but these 3 fields are not showing as a seperate field in kibana (under Available Fields in Kibana) and all these are showcasing under error field only. How this can be solved. My template is as below. ES version 7.4.2

{
  "evergreen-7.4.2" : {
    "order" : 3,
    "index_patterns" : [
      "test-*"
    ],
    "settings" : {
      "index" : {
        "lifecycle" : {
          "name" : "rollover",
          "rollover_alias" : "test-write-target"
        }
      }
    },
    "mappings" : {
      "dynamic" : true,
      "properties" : {
        "fields" : {
          "properties" : {
            "index_suffix" : {
              "type" : "keyword"
            },
            "cloudstack" : {
              "type" : "keyword"
            },
            "index" : {
              "type" : "keyword"
            }
          }
        },
        "error" : {
          "type" : "nested"
        },
        "timestamp" : {
          "type" : "date_nanos"
        }
      }
    },
    "aliases" : { }
  }
}

Sample log:

{"timestamp":"2020-07-14T02:00:04.462871Z","logging":{"level":"error","type":"app","name":"EnrollmentService","file_path":"/tmp/jetty-0_0_0_0-8080-evergreen-2020_07_13+1511-25f8472f_war-_-any-8444767333112902468.dir/webapp/WEB-INF/backend/helpers/diagnostics.rb","line":192,"thread":{"name":"rpc.poll"}},"message":"poller_error","context":{"tenant":"53aba09c-be06-11e9-bda3-0680c5280fdc"},"error":[{"class":"Circuitbox::FaradayMiddleware::RequestFailed","message":"Request failed: status(503) rate limit()","stacktrace":["/tmp/jetty-0_0_0_0-8080-evergreen-2020_07_13+1511-25f8472f_war-_-any-8444767333112902468.dir/webapp/WEB-INF/gems/gems/mdm-client-12.7.107/lib/mdm/client/open_circuit_response_middleware.rb:32:in `on_complete'","/tmp/jetty-0_0_0_0-8080-evergreen-2020_07_13+1511-25f8472f_war-_-any-8444767333112902468.dir/webapp/WEB-INF/gems/gems/faraday-0.17.3/lib/faraday/response.rb:9:in `block in call'""]}]}
2

Kibana does not support nested mappings well so if you want to work with Kibana my recommendation would be to avoid them.

3

Hi Christian,

correct. i found this same github issue raised. thanks anyways!! https://github.com/elastic/kibana/issues/1084#issuecomment-585178079.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.