How to map such object fields

ssasporta · March 25, 2018, 2:17pm

How to map such fields?

file.encoding = UTF-8
file.encoding.pkg = sun.io
file.separator = /

Thanks
Sharon.

dadoonet · March 25, 2018, 3:18pm

Depends on what you want to do but I'd probably use keyword data type

Christian_Dahlqvist · March 25, 2018, 3:30pm

In order to index those fields you will need to either rename or alter the structure. Dots in field names are special and will be expanded, which will cause a mapping conflict for file.encoding as this can not at the same time be a string and an object (as it has a sub-field named pkg).

ssasporta · March 25, 2018, 6:27pm

So, if the origin fields are:

file.encoding = UTF-8
file.encoding.pkg = sun.io

and I want to change it to:

file.encoding.type = UTF-8
file.encoding.pkg = sun.io

Which filters should I use?

I assume in this point, I will be able to create object mapping to file.encoding

Thanks
Sharon.

Christian_Dahlqvist · March 25, 2018, 6:56pm

I am not sure I understand your question. Could you please clarify with an example document?

ssasporta · March 25, 2018, 6:59pm

Is this the syntax to rename it?

mutate {  rename  => { "file.encoding" => "file.encoding.filetype" }  }

Thanks
Sharon

system · April 22, 2018, 7:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.