Hi Laurens,
In Metron all fields tend to get flattened into an un-nested structure of keys
and values. Some of the keys do represent a flattened tree structure (for
example our standard enrichment fields). The reason for this is essentially
ingest speed for nested documents in lucene based indices like Elastic and
Solr. So, we never used, nor need nested template, and tend to just use the ‘:’
separated fields to define the hierarchy.
Is there a particular use case you need the nesting for?
Simon
> On 7 Feb 2018, at 01:26, Laurens Vets <laur...@daemon.be> wrote:
>
> I hope there's an elasticsearch expert on the mailing list :D
>
> I have a field called "responseElements:subnets" which can either contain:
>
> {
> "subnetIdentifier": "subnet-abcdefgh",
> "subnetStatus": "Active",
> "subnetAvailabilityZone": {
> "name": "us-west-2c"
> }
> },
> {
> "subnetIdentifier": "subnet-12345678",
> "subnetStatus": "Active",
> "subnetAvailabilityZone": {
> "name": "us-west-2b"
> }
> }
>
> or:
>
> subnet-abcdefgh, subnet-12345678, subnet-a1b2c3d4
>
> Any idea how I can map this in my template?
>
> For the first case, I got:
>
> "responseElements:subnets": {
> "type": "nested",
> "properties": {
> "subnetIdentifier": { "type": "string" },
> "subnetStatus": { "type": "string" },
> "subnetAvailabilityZone": {
> "type": "nested",
> "properties": {
> "name": { "type": "string" } } } } }
>
> But how can I map the 2nd case?
