Nested fields vs. flat document

I'm currently creating an index template for network logs. I currently have something like this:

    "mappings" : {
      "doc" : {
        "properties" : {
    ...
          "ip_src" : {
            "type" : "ip"
          },
          "ip_dst" : {
            "type" : "ip"
          },
          "ip_nat_src" : {
            "type" : "ip"
          },
          "ip_nat_dst" : {
            "type" : "ip",
            "index" : "false"
          },
    ...

I'm thinking something that would allow referring to the fields as src.nat.ip would be better:

    "mappings" : {
      "doc" : {
        "properties" : {
    ...
          "src" : {
		    "properties" : {
              "ip" : {
                "type" : "ip"
              },
              "port" : {
                "type" : "long"
              },
              "nat" : {
                "properties" : {
                  "ip" : {
                    "type" : "ip"
                  },
                  "port" : {
                    "type" : "long"
                  }
				}
			  },
    ...

Are there any performace/storage implications to this other than changing how you reference the fields (I'm indexing about 500 mil documents/day, so every little bit matters)? I've not been able to find anything definitive.

Hi,
what are the queries or aggregations that you have in mind? That might help to answer your question.

Also, slightly related to the optimisation topic, you might consider using dynamic templates to shrink down the size of your index templates. E.g., with respect to your first mapping, something like

{
  "mappings": {
    "doc": {
     "properties": { ... },
      "dynamic_templates": {
        "ip_address": {
          "match": "ip_*",
          "mapping": {
            "type": "ip"
          }
        }
      }
    }
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.