Using "key/value with nested fields" with logstash

widhalmt · August 1, 2017, 1:02pm

Hi,

I have a problem where someone logs lots of different JSON logs into Logstash which forwards them to Elasticsearch. There are so many fields that we hit the 1000 threshold of fields per index. To prevent mapping explosion we don't want to raise this limit.

I read about using "key/value with nested fields" in Limit of total fields [1000] in index has been exceeded and saw an example in https://www.elastic.co/blog/found-crash-elasticsearch#mapping-explosion but I wonder how I would achieve that with Logstash.

Could anyone give me a hint how to split long fieldnames (containing .) in a way I can avoid mapping explosion?

My problem is that there might come in new field names any time so I need an automatic way of splitting.

Thanks in advance!

widhalmt · August 1, 2017, 3:25pm

I just saw that the "dedot" filter of Logstash provides the capability to replace dots with nested fields, not just replace dots with another character. Could this solve my problem?

Will heavily nested be fields be better with Elasticsearch than lots of different fieldnames? (Maybe I should ask this in the Elasticsearch forums, too)

system · August 29, 2017, 3:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can nested fields prevent mapping explosion? Elasticsearch	3	5578	August 31, 2017
Limit of total fields [1000] in index exceeded and nested json Logstash	3	855	October 6, 2020
Prevent nested json from appearing in elasticsaerch field Logstash	7	349	August 19, 2022
Field name [server.example.com] cannot contain '.' Logstash	3	798	July 6, 2017
Logstash 2.x : Dynamic Mapping Logstash	10	1383	July 6, 2017

Using "key/value with nested fields" with logstash

Related topics