Hi,
I've created a following mapping:
{ "mappings":{
"smalltype":{
"properties":{
"top_domains":{
"properties":{
"num":{"type":"integer"},
"value":{"type":"string"}
}
},
"top_ip_addresses":{
"type": "nested",
"properties":{
"ATCK1":{"type":"integer"},
"ATCK2":{"type":"integer"},
"ATCK3":{"type":"integer"},
"ATCK4":{"type":"integer"},
"country_code":{"type":"string"},
"ip_address":{"type":"string"}
}
},
"top_paths":{
"properties":{
"num":{"type":"integer"},
"value":{"type":"string"}
}
}
}
}
}
}
Then put the document into Elastic Search
{"top_domains":[{"num":2,"value":"url1.com"},{"num":2,"value":"url2.com"},{"num":1,"value":"url3.net"}],"top_paths":[{"num":212,"value":"/test.gif"}],"top_ip_addresses":[{"ATCK1":4,"ATCK2":6,"ATCK3":2,"company_name":"Generic_ISP_LTD","country_code":"IT","ip_address":"1.1.1.1","ATCK4":1},{"ATCK1":0,"ATCK2":1,"ATCK3":7,"company_name":"You_ISP","country_code":"US","ip_address":"2.2.2.2","ATCK4":7},{"ATCK1":1,"ATCK2":7,"ATCK3":3,"company_name":"ISPs_R_Us","country_code":"IL","ip_address":"3.3.3.3","ATCK4":2}]}
Then I try to create visualizations graphs, for example: visualize the graph per each country_code to show the max(ATCK1)
But Kibana doesn't show me any results.
If I remove from the "top_ip_addresses" the "type": "nested" notion, I can get the queries in kibana, but then it is treated like object, and loses context correlation
Am I missing something? Should I change the index mapping in some different way. Give Kibana some hint ???
Thanks,
Julia