Hello, fellow Elastic enthusiasts!
Despite following the documentation and various online resources, I find myself at a standstill. Here's a brief overview of my setup:
My Logstash pipeline is configured to output data into Elasticsearch. The configuration snippet looks like this:
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "my_index-custom-stage"
action => "create"
user => "logstash_internal"
password => "${LOGSTASH_INTERNAL_PASSWORD}"
}
}
I've designed a custom ingestion pipeline and mappings for my_index to accommodate a complex data structure with nested fields. The mappings are as follows:
{
"mappings": {
"properties": {
"ip-info": {
"type": "nested",
... // (Additional nested field mappings for clarity)
}
}
}
}
When I inspect the data in the my_index data stream view, I only observe the original ip-info object in its JSON format. Conversely, when examining the default logs-* index view, the ip-info object is parsed correctly, displaying all nested fields as expected.
This is a document in my_index and the same document in default logs-* index:
Despite numerous attempts to resolve the issue—including switching from data streams to indexes, ensuring mappings are in place before ingesting any documents, and tweaking various settings—I've hit a wall. The my_index retains the nested field as JSON, whereas the logs-* index parses it without any problem.
Has anyone faced a similar challenge, or does anyone have insights into what might be going wrong? Here are my specific questions:
- Why does the
my_indexnot parse the nestedip-infoobject correctly, while the defaultlogs-*index does? - Are there any recommended debugging steps or configurations I might have overlooked that could resolve this parsing discrepancy?
Thank you in advance!