Showing nested properties as individual fields in Discover UI

mariusoe · November 29, 2018, 2:19pm

Hi,

recently I upgrade my ELK stack from version 5 to version 6(.4).
My documents contains a field which is a JSON object and until now, the JSON's attributes were shown in Kibana's discovery UI as seperate fields (as shown in the following screenshot)

After the upgrade, the JSON object is not split into several fields but shown as a single object. I don't have a clue why this is happening.
The data is incoming via Logstash and it just parses a incoming String to a JSON object, like this:
json {
source => "message"
target => "message"
}

But this was not changed - so it was done like this before.
The mapping is also the same as before. Is there something like an option where I can specify Kibana's behavior in this case?

Appreciate any help

Best regards,
Marius

lukas · November 29, 2018, 3:53pm

It's possible that you may have to refresh your index pattern fields in the management screen. If that doesn't work could you provide the mapping here so I can try to troubleshoot? Thanks!

mariusoe · November 30, 2018, 8:31am

Hi,

I was able to solve the problem by myself.

The reason was, that my index-pattern matched an index which used a mapping where the "message" field was stored as an object(field) itself.
So there were these two mappings for the "message" field existing:

"message": {
	"type": "text",
	"fields": {
		"keyword": {
		  "type": "keyword",
		  "ignore_above": 256
		}
	}
},

"message": {
	"properties": {
		"BUSINESS_XXX": {
...

Due to this, Kibana grouped all fields starting with "message" together to an object.
Removing the "wrong" index and refreshing the fields of the index pattern solved the problem.
Now, the fields are shown seperatly, as shown in the screenshot of my question.

Thanks,
Marius

system · December 28, 2018, 8:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.