This appears to be due to having fields in my elastic document as dot-separated:
…
"http.request.method": "GET",
"discourse.time.redis": 0.018657,
"url.domain": "test.example.net",
…
Reading up about this it seems that the Kibana grok debugger behaves completely differently than logstash… which is exactly opposite what you want from a debugging tool?
My patterns are using e.g.:
%{DATA:url.original}
syntax which gives the correct (nested values) result in the grok debugger, but a single dot-separated field name with logstash.
The bracket patterns in kibana:
%{DATA:[url][original]}
give e.g.:
…
"[url][domain]": "vdc00ent1.staged-by-discourse.com",
…