Hello,
In my case, I have an index template containing a nested field.
Let it be for example:
PUT _template/template_v1
{
"index_patterns": ["routes.ipv4.data.*"],
"settings" : {
"number_of_shards" : 10
},
"mappings": {
"properties": {
"ip.src": { "type": "ip" },
"asn.src": { "type": "long" },
"ip.dst": { "type": "ip" },
"asn.dst": { "type": "long" },
"dumppp": {
"type": "nested",
"properties": {
"no": { "type" : "short" },
"ip.in": { "type": "ip" },
"asn.in": { "type": "long" },
"ip.out": { "type": "ip" },
"asn.out": { "type": "long" }
}
}
}
}
}
}
In real, however, each document in this index will usually contain not one such nested field, but several (an array).
How should I add a nested array to the index? What does the query look like in this case?
Additional question about the elasticsearch API for Python:
#!/usr/bin/env python
from elasticsearch import Elasticsearch, exceptions
from ssl import create_default_context
[...]
doc_dumppp = []
for ii in range( len( nested_elements ) ):
doc_dumppp.append( {
'ip.src': str( nested_elements[ii] ),
'asn.src': str( nested_elements[ii] ),
'ip.dst': str( nested_elements[ii] ),
'asn.dst': str( nested_elements[ii] )
} )
doc = {
'ip.src': str( ip_src ),
'asn.src': str( asn_src ),
'ip.dst': str( ip_dst ),
'asn.dst': str( asn_dst ),
'dumppp': doc_dumppp
}
res = es.index(index="v-index", body=doc)
[...]
Above, very quick code snippets.
The code in the above tactics works theoretically.
Nested fields are added but from the Kibany level they are visible as "full string". It is not possible to search etc. on the fields contained in nested.
What is the reason?