Hi there,
Currently event analystic has a problem displaying / handling nested json logfile :
opened 07:34AM - 19 Jul 22 UTC
bug
**What is the bug?**
nested json logfile `"log.attributes.priority": 30,` are n… ot displayed correctly.
json in discover:
```
{
"_index": "logs_logs",
"_id": "ZVtIFYIB8GvAjIWF94J5",
"_version": 1,
"_score": null,
"_source": {
"traceId": "",
"spanId": "",
"flags": 0,
"time": "2022-07-19T07:07:59.467977Z",
"severityNumber": 9,
"droppedAttributesCount": 0,
"serviceName": null,
"body": "<30>1 2022-07-19T09:07:59.467977+02:00 fwgate-1.test.local device_name=\"SFW\" - - - timestamp=\"2022-07-19T09:07:59+0200\" device_model=\"XG111\" device_serial_id=\"XXXXXXX\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=10 fw_rule_id=\"56\" nat_rule_id=\"0\" fw_rule_type=\"USER\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"xfrm4\" src_mac=\"34:DB:FD:83:D8:09\" dst_mac=\"C8:4F:86:04:0E:70\" src_ip=\"172.16.34.224\" src_country=\"R1\" dst_ip=\"172.17.35.132\" dst_country=\"R1\" protocol=\"TCP\" src_port=49856 dst_port=10050 packets_sent=5 packets_received=5 bytes_sent=319 bytes_received=292 src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"VPN\" dst_zone=\"VPN\" con_event=\"Stop\" con_id=\"3294294976\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"xfrm4\"",
"observedTime": "2022-07-19T07:07:59.479088669Z",
"schemaUrl": "https://opentelemetry.io/schemas/1.6.1",
"log.attributes.version": 1,
"log.attributes.appname": "SFW",
"log.attributes.priority": 30,
"log.attributes.message": " timestamp=\"2022-07-19T09:07:59+0200\" device_model=\"X111\" device_serial_id=\"XXXXXXXX\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=10 fw_rule_id=\"56\" nat_rule_id=\"0\" fw_rule_type=\"USER\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"xfrm4\" src_mac=\"34:DB:FD:83:D8:09\" dst_mac=\"C8:4F:86:04:0E:70\" src_ip=\"172.16.34.224\" src_country=\"R1\" dst_ip=\"172.17.35.132\" dst_country=\"R1\" protocol=\"TCP\" src_port=49856 dst_port=10050 packets_sent=5 packets_received=5 bytes_sent=319 bytes_received=292 src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"VPN\" dst_zone=\"VPN\" con_event=\"Stop\" con_id=\"3294294976\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"xfrm4\"",
"log.attributes.facility": 3,
"resource.attributes.host@name": "ingest01.test.local",
"resource.attributes.os@type": "linux",
"resource.attributes.host@id": "ingest01.test.local",
"log.attributes.hostname": "fwgate-1.test.local"
},
"fields": {
"observedTime": [
"2022-07-19T07:07:59.479Z"
],
"time": [
"2022-07-19T07:07:59.467Z"
]
},
"sort": [
1658214479467
]
}
```
![discover](https://user-images.githubusercontent.com/6105075/179690901-9001a42d-6ff1-411f-9896-448aa5ea062b.png)
json in Event analytics:
```
{
"traceId": "",
"log": "null",
"resource": "null",
"flags": 0,
"severityNumber": 9,
"body": "<30>1 2022-07-19T09:04:38.287882+02:00 fwgate-1.test.local device_name=\"SFW\" - - - timestamp=\"2022-07-19T09:04:38+0200\" device_model=\"XG111\" device_serial_id=\"xxxxxxxxx\" log_id=\"010101600001\" log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" log_version=1 severity=\"Information\" duration=11 fw_rule_id=\"56\" nat_rule_id=\"0\" fw_rule_type=\"USER\" ether_type=\"Unknown (0x0000)\" in_interface=\"Port1\" out_interface=\"xfrm4\" src_mac=\"34:DB:FD:83:D8:09\" dst_mac=\"C8:4F:86:04:0E:70\" src_ip=\"172.16.34.224\" src_country=\"R1\" dst_ip=\"172.17.35.165\" dst_country=\"R1\" protocol=\"TCP\" src_port=36642 dst_port=10050 packets_sent=6 packets_received=4 bytes_sent=340 bytes_received=193 src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"VPN\" dst_zone=\"VPN\" con_event=\"Stop\" con_id=\"1546955264\" hb_status=\"No Heartbeat\" app_resolved_by=\"Signature\" app_is_cloud=\"FALSE\" qualifier=\"New\" in_display_interface=\"Port1\" out_display_interface=\"xfrm4\"",
"observedTime": "2022-07-19 07:04:38.289119295",
"schemaUrl": "https://opentelemetry.io/schemas/1.6.1",
"spanId": "",
"droppedAttributesCount": 0,
"time": "2022-07-19 07:04:38.287882"
}
```
![Event](https://user-images.githubusercontent.com/6105075/179691761-11e38be4-ba13-4de7-98f1-060c57da3036.png)
**How can one reproduce the bug?**
The problem always arises with `nested json`.
**What is the expected behavior?**
The same representation, respectively no problems with nested json, as in Discover
With this bug, currently Event analytics is not usable.
**What is your host/environment?**
**Do you have any screenshots?**
See above.
In many application areas you can therefore not use event analystic with nested json logfiles, which is a pity.
Is there a chance that this bug will be fixed in the next release ?
Thanks for the good work to opensearch.