Index nested json

chrigui94 · April 12, 2018, 5:05pm

I have a nested file each document is like the following (contains a field "gateways" contains diffents number of gateways each one contains a latitude and longitude)
{
field1: "aa",
field2:"bb",
"gateways"[
{antennaLatitude:1222, antennaLongitude:1555},
{antennaLatitude:222, antennaLongitude:444}
]
}
First step I set my template which is like this
> {

  "template" : "logstash-*",
  "version" : 50001,
  "settings" : {
    "index.refresh_interval" : "5s",
	"index.mapping.ignore_malformed": true
  },
  "mappings" : {
    "_default_" : {
      "_all" : {"enabled" : true, "norms" : false},
      "dynamic_templates" : [ {
        "message_field" : {
          "path_match" : "message",
          "match_mapping_type" : "string",
          "mapping" : {
            "type" : "text",
            "norms" : false
          }
        }
      }, {
        "string_fields" : {
          "match" : "*",
          "match_mapping_type" : "string",
          "mapping" : {
            "type" : "text", "norms" : false,
            "fields" : {
              "keyword" : { "type": "keyword", "ignore_above": 256 }
            }
          }
        }
      } ],
      "properties" : {
        "@timestamp": { "type": "date", "include_in_all": false },
        "@version": { "type": "keyword", "include_in_all": false },
        "geoip"  : {
           "type" : "geo_point" 
        },
		"geoip_Dev": {
            "type" : "geo_point" 
          },
		  "geoip_gwy": {
            "type" : "geo_point" 
          },
		  "gtwys":{ 
		        "type": "nested",
			    "properties": {
						"antennaLatitude":{"type":"keyword"},
						"antennaLongitude":{"type":"keyword"},
                        "position": {"type": "geo_point"}
                    }
		  }
            }
          }
      }
}

But I dont know how to index these nested json in logstash to correspond my template:
to produce 2 geo_point positions ?

dadoonet · April 12, 2018, 5:20pm

I think you have to rename fields to lat and lon and then declare gateways as a geo_point. That might work.

chrigui94 · April 13, 2018, 8:16am

I need how to do this in logstash conf file (how to assign fields correctly ) ?
I did {
mutate {
add_field => [ "[gtwys][position][lat]", "%{[gateways][antennaLatitude]}" ]
add_field => [ "[gtwys][position][lon]", "%{[gateways][antennaLongitude]}" ]
}
mutate {
convert => {"[gtwys][position]" => "float"}
}
}
If I do that my document after indexing looks like:

as explained in the figure I need to put these coordinates in the new nested field created (gtwys.position) in order to show them on the map on kibana ?

dadoonet · April 13, 2018, 8:32am

I moved your question to #logstash then.

system · May 11, 2018, 8:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.