Help with sub field mappings in index template

theflakes · February 27, 2019, 12:19am

Say I have the following section in a json Doc I want to index.

"top_level_field": {
  "field1": true,
  "field2": "blah blah",
  "field3": 123,
  "second_level": {
    "sub_field1": "fizz buzz",
	"sub_field2": 1.3434534
  }
}

Is this template fragment correct to index the above json?

"top_level_field":{
	"properties":{
		"field1":{ "type":"boolean" },
		"field2":{ "type":"text" },
		"field3":{ "type": integer },
		"second_level":{
		   "properties": {
				"sub_field1": { 
					"fields":{ "keyword":{ "type":"keyword" } },
					"type":"text" 
				},
				"sub_field2": { "type": long }
		   }
		}
	}
}

When this comes into Elastic I should see:

top_level_field.field1
top_level_field.field2
top_level_field.field3
top_level_field.second_level.sub_field1
top_level_field.second_level.sub_field1.keyword
top_level_field.second_level.sub_field2

I've tried something like this in the past and the fields came in as un-indexed as I also have dynamic mapping disabled. Feel likeI am misunderstanding something. Logs are being sent to Elastic via Logstash. Logstash is not doing much except for proxying the logs to Elastic.

I've had to use the below in my templates instead to get the index template to index these fields.

"top_level_field.field1": { "type":"boolean" },
"top_level_field.field2": { "type":"text" },
"top_level_field.field3": { "type": integer },
"top_level_field.second_level.sub_field1": { 
					"fields":{ "keyword":{ "type":"keyword" } },
					"type":"text" 
				},
"top_level_field.second_level.sub_field2": { "type": long }

system · March 27, 2019, 12:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.