-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nested fields and data types #1406
Comments
Thank you for creating this issue! We are in the process of improving processing of the nested events, see issue #704 for details. In the meantime, all nested fields are, as you noticed, flattened as
For example, adding new field named For
This is interesting. Do you have any specific idea about improving the |
@a-rodin For ES, I was thinking specifically about ad-hoc typing, which ES supports. You can't use the API to force the already set data type, but you can actually update the template with every event (you can do this natively through logstash). So, let's say I've forgotten to coerce some data. The string representation is still json and if my index has got a template it will do so. But on a first message, it will judge the field to be "string" and then API cannot change it back. So, I go into elasticsearch sink configurations and add something like The idea is to send template only for the fields I require as a particular type which then can be changed without full re-indexing. Note that I don't actually know how this works, I've just seen an logstash implementation :) And, obviously, since es is doing the coercing, I don't need it that much |
There seems to be a problem with data types and nested fields.
For a log event with this structure:
1. Lua transform
Containers do not evaluate.
events["container_a"]
- nil, whileevents["container_a.str_data_b"]
- strEach assingment drops type. So after
events["container_a.int_data_a"] = events["int_data_b"]
- nowcontainer_a.int_data_a = "2"
2. Coercer
int_data_b = "int"
- workscontainer_a.int_data_a
- expected str, got map, while"container_a.int_data_a" = "int"
works, which is a bit unweildyI would suggest digging into lua (if it's not already done with an upcoming update) , changing userdata into a table and somehow forcing data types.
As it stands,
elasticsearch sink
does not have a template mapping, so each transformation requires at least one coercer.The text was updated successfully, but these errors were encountered: