Variable-value is displaying as an array for nested field in kibana

Elastic Stack Kibana
1

kibana 7.17.0
Ubuntu 20.04

The json looks like

    "attempt": [
      {
        "responsecode": 250,
        "responsendr": "2.0.0",
        "transportid": "relay",
        "duration": 0.50850701,
        "jobid": "",
        "response": "Ok: queued as E99733F212",
        "tls": {
          "cipher": "TLS_AES_256_GCM_SHA384",
          "protocol": "TLSv1.3",
          "keysize": 256
        },
        "state": "EOD",
        "dsn": null,
        "retry": 0,
      }
    ],

While table view looks like

attempt
{
  "responsecode": [
    250
  ],
  "responsendr": [
    "2.0.0"
  ],
  "transportid": [
    "relay"
  ],
  "tls.protocol": [
    "TLSv1.3"
  ],
  "tls.cipher": [
    "TLS_AES_256_GCM_SHA384"
  ],
  "finishedtime": [
    "2022-02-24T09:25:25.088Z"
  ],
  "tls.keysize": [
    256
  ],
  "duration": [
    0.508507
  ],
  "jobid": [
    ""
  ],
  "response.keyword": [
    "Ok: queued as E99733F212"
  ],
  "response": [
    "Ok: queued as E99733F212"
  ],
  "state": [
    "EOD"
  ],
  "retry": [
    0
  ]
}

Wonder why a variable-value pair is turning over to an array?

Index map is like

....
        "attempt": {
          "type": "nested",
          "properties": {
            "duration": {
              "type": "float"
            },
            "finishedtime": {
              "type": "date",
              "format": "epoch_millis"
            },
            "jobid": {
              "type": "keyword",
              "ignore_above": 256
            },
....
            "tls": {
              "properties": {
                "cipher": {
                  "type": "keyword",
                  "ignore_above": 256
                },
                "keysize": {
                  "type": "short"
                },
                "protocol": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
...

Is it by design?

2

This does not look like a Kibana question but more related to ingest. How are you ingesting that data?

3

Hmm... Why it is a question to ingest? When getting data via API query from elastic, it look as expected. When I said "The json looks like" I mean data I am getting from command like

curl -s -k https://localhost:9200/MyIndex-2022-02-27/_search?pretty

The response looks like

....
          "attempt": [
            {
              "responsecode": 250,
              "responsendr": "2.0.0",
              "transportid": "relay",
              "duration": 0.558131822,
              "jobid": "",
              "response": "OK l9-20020a2e99c9000000b002464380b3bbsi6986081ljj.302 - gsmtp",
              "tls": {
                "cipher": "TLS_AES_256_GCM_SHA384",
                "protocol": "TLSv1.3",
                "keysize": 256
              },
              "state": "EOD",
              "dsn": null,
              "retry": 0,
            }
          ],
...

not any

attempt
{
  "responsecode": [
    250
  ],
4

Thanks for clarifying so you are ingesting and indexing your data correctly.

Where exactly are you getting that response with field values as arrays? Is that the JSON view in Discover or where?

1 Like
5

No, it comes from kibana > Discovery > index > Table view. JSON view looks OK now. Not sure if it was like this when I posted the original issue (on 7.17.0) as I updated ELK to 7.17.1 yesterday.

1 Like
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.