Is there any way to map a field as an object AND text, similar to what you can do with "fields" and text and keyword types?
I'm having an issue where a field is mapped differently across indices, because Winlogbeat expects a field to be cast as a type of "object", but I have other logs where the field is cast as a type of "text".
Thanks,
Cappy
Have you defined this in a/the template?
Yes, I have.
This is related to my other question, actually.
I have an LS-managed template (index_pattern of logstash-beats-*) I use (with everything statically mapped) that has the "user" field mapped as an object, with different properties, etc and an order of 1
I have another LS-managed template I use (index_pattern of [ "logstash-*", "-*beats*" ] that has a "user" field from some other logs, that is set as a type of "text" and an order of 0. The logs that use this template provide a text only value.
I've tried:
Setting the field to a type of object in the logstash-* template, which doesn't work because it has a concrete single value.
"user":{
"type":"object"
},
Using "fields" to add a type of object, so that the field will be indexed w/ multi-fields.
"user":{
"type":"text",
"fields": {
"object":{
"type":"object"
}
}
},
In the logstash-beats-* template, it is defined as follows:
"user": {
"properties": {
"domain": {
"type": "keyword"
},
"identifier": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
Thanks,
Cappy
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.