Nested object visualization

theo1991 · July 26, 2019, 7:48am

Hello,

Is it possible to select a nested object to visualize in Kibana ? I want to select the first field in this nested object.
Here is my filter :

grok :

u'rules': \[(?<[@metadata][rules]>[^\]]+)\]

ruby :

rules = event.get('[@metadata][rules]')
		if rules
			rule = rules.scan(/{u'type': u'([^']+)', u'id': ([0-9]+)}/)
			event.set('rule', rule)
		end

Index mapped by elasticsearch :

"rule": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },

In the visualization, when I select rule.keyword, I'm not able to select which field I want :

Do I have to add something in JSON input in the advanced settings of the visualization ?

wylie · July 26, 2019, 4:23pm

I don't think what you are describing is a "Nested object", what you have is a dual mapping. If you want to select specific terms, you can either:

Use the Terms aggregation and specify specific Include/Exclude values in the additional options menu for that aggregation
Use a Filters aggregation and specify a query that filters only the documents you want to match.

If you are actually intending to create a nested object mapping, your configuration is not correct: https://www.elastic.co/guide/en/elasticsearch/reference/current/nested.html (but if you are trying to do this, Kibana does not currently supported that kind of mapping)

theo1991 · August 8, 2019, 2:18pm

Hello wylie,

Sorry for the delay, and thank you for your answer.
My results are like this in discovery when I click on rules :
["RULE","888821"]
["OTHER_RULE","888822"]

So I think you're right, it's a dual mapping.
But how can I tell to kibana when I want to make my visualization, to do not use the first field (here "RULE" "OTHER_RULE" etc) ?

Thank you

wylie · August 8, 2019, 3:21pm

You might be able to construct a scripted field to access the value you want using painless scripting. I'm not sure I can provide an exact script for you to try, but that approach would give you more control over the value.

Also, it looks like this is an array field, I would highly recommend reading the limitations Elasticsearch has for that kind of data: https://www.elastic.co/guide/en/elasticsearch/reference/current/array.html

system · September 5, 2019, 3:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.