Variable-value is displaying as an array for nested field in kibana

Onkel_Bob · February 25, 2022, 8:48am

kibana 7.17.0
Ubuntu 20.04

The json looks like

    "attempt": [
      {
        "responsecode": 250,
        "responsendr": "2.0.0",
        "transportid": "relay",
        "duration": 0.50850701,
        "jobid": "",
        "response": "Ok: queued as E99733F212",
        "tls": {
          "cipher": "TLS_AES_256_GCM_SHA384",
          "protocol": "TLSv1.3",
          "keysize": 256
        },
        "state": "EOD",
        "dsn": null,
        "retry": 0,
      }
    ],

While table view looks like

attempt
{
  "responsecode": [
    250
  ],
  "responsendr": [
    "2.0.0"
  ],
  "transportid": [
    "relay"
  ],
  "tls.protocol": [
    "TLSv1.3"
  ],
  "tls.cipher": [
    "TLS_AES_256_GCM_SHA384"
  ],
  "finishedtime": [
    "2022-02-24T09:25:25.088Z"
  ],
  "tls.keysize": [
    256
  ],
  "duration": [
    0.508507
  ],
  "jobid": [
    ""
  ],
  "response.keyword": [
    "Ok: queued as E99733F212"
  ],
  "response": [
    "Ok: queued as E99733F212"
  ],
  "state": [
    "EOD"
  ],
  "retry": [
    0
  ]
}

Wonder why a variable-value pair is turning over to an array?

Index map is like

....
        "attempt": {
          "type": "nested",
          "properties": {
            "duration": {
              "type": "float"
            },
            "finishedtime": {
              "type": "date",
              "format": "epoch_millis"
            },
            "jobid": {
              "type": "keyword",
              "ignore_above": 256
            },
....
            "tls": {
              "properties": {
                "cipher": {
                  "type": "keyword",
                  "ignore_above": 256
                },
                "keysize": {
                  "type": "short"
                },
                "protocol": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
...

Is it by design?

jsanz · March 9, 2022, 5:42pm

This does not look like a Kibana question but more related to ingest. How are you ingesting that data?

Onkel_Bob · March 10, 2022, 8:16am

Hmm... Why it is a question to ingest? When getting data via API query from elastic, it look as expected. When I said "The json looks like" I mean data I am getting from command like

curl -s -k https://localhost:9200/MyIndex-2022-02-27/_search?pretty

The response looks like

....
          "attempt": [
            {
              "responsecode": 250,
              "responsendr": "2.0.0",
              "transportid": "relay",
              "duration": 0.558131822,
              "jobid": "",
              "response": "OK l9-20020a2e99c9000000b002464380b3bbsi6986081ljj.302 - gsmtp",
              "tls": {
                "cipher": "TLS_AES_256_GCM_SHA384",
                "protocol": "TLSv1.3",
                "keysize": 256
              },
              "state": "EOD",
              "dsn": null,
              "retry": 0,
            }
          ],
...

not any

attempt
{
  "responsecode": [
    250
  ],

jsanz · March 10, 2022, 12:01pm

Thanks for clarifying so you are ingesting and indexing your data correctly.

Where exactly are you getting that response with field values as arrays? Is that the JSON view in Discover or where?

Onkel_Bob · March 10, 2022, 12:28pm

No, it comes from kibana > Discovery > index > Table view. JSON view looks OK now. Not sure if it was like this when I posted the original issue (on 7.17.0) as I updated ELK to 7.17.1 yesterday.

system · April 7, 2022, 12:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.