Search for dinamically field name in dashboard

Philippe_Geraldeli_A · November 25, 2020, 8:50pm

I'm using kibana 6.2 and because of the problem that arrays are not well supported, i changed my json like that:

    {"array1" : [
               {
                      "array2" : [
                               {"name": "abc"},{"name": "def"}
                        ]
                }
        ]
    }

    {"array1" : 
          "0" :
               {
                      "array2" : 
                              "0": {"name": "abc"},
                              "1": {"name": "def"}       
                }
    }

On my dashboard i'm trying to create a pie chart that splits into count of names, but when using terms i can't write on "field": array1.*.array2.*.name

I tried to use json input but with no success, and the field i want is zapReport.site.*.alerts.*.keyword

Another question is, which version arrays are well suported?

Someone can help me please?

Patrick_Mueller · November 26, 2020, 4:44am

There is the "nested" type, which can do what you want directly: https://www.elastic.co/guide/en/elasticsearch/reference/master/nested.html

You can even have "nested" fields whose fields are "nested", needed for your example.

I think the problem you'll find is that it's not supported everywhere you can create queries for use in visualizations/alerts/etc in Kibana, yet. It's supported in terms of building queries against elasticsearch though, if you just need the raw search output,

Off the top of my head (and I'm no expert at mappings!), I'd say you might want to reconsider your data model, so that you end up with multiple documents per "site". Example below. But it really depends on how you intend to access your data.

{ site: foo, alert: a }
{ site: foo, alert: b }
{ site: foo, alert: c }
{ site: bar, alert: x }
{ site: bar, alert: y }
{ site: bar, alert: z }

system · December 24, 2020, 4:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.