Map embedded json object to one field

cowensel · March 30, 2020, 11:41am

I can see there a number of posts about this but I cannot seem to make heads or tails of them.

We have some logs that get sent to our ELK server where an embedded Json object is sent. I would like to map everything in the embedded Json object to appear in the field Json object. Granted this is not the full template but we have the following:

> "JSONObject" : {
>           "properties" : {
>             "Capacity" : {
>               "type" : "long"
>             },
>             "Id" : {
>               "type" : "long"
>             },
>             "m_MaxCapacity" : {
>               "type" : "long"
>             },
>             "m_StringValue" : {
>               "norms" : false,
>               "type" : "text",
>               "fields" : {
>                 "keyword" : {
>                   "ignore_above" : 256,
>                   "type" : "keyword"
>                 }
>               }
>             },
>             "m_currentThread" : {
>               "type" : "long"
>             }
>           }
>         },

This does not seem to work and it splits each field which is causing a large number of fields to be added. The field names do not match.
Can someone advise the best way to do this? It will be much appreciated.

cowensel · March 30, 2020, 2:49pm

To ensure the contents of Jsonobject stays in the same field do I need to update the template to be:

PUT /_templates/logstash
{
"mappings": {
"properties": {
"JSONObject": { "type": "nested" }
}
}
}

Or would that cause any issues?

system · April 27, 2020, 2:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.