Flat_object search issue

rlevitsky · July 25, 2025, 8:09am

Versions Opensearch 2.19.2, curl as client

Describe the issue:

We have index in our cluster with several flat_object fields:

% curl opensearch/k8s-audit-2025.30 | jq -c '.[].mappings.properties| .annotations, .responseStatus'
{"type":"flat_object"}
{"type":"flat_object"}

Here’s an example record:

% curl opensearch/k8s-audit-2025.30/_search -d'{"query":{"match_phrase":{"auditID":"fe1ee43b-199d-4f2d-a39c-01654e87a956"}}}' | jq '.hits| .total.value, .hits[0]._source.annotations, .hits[0]._source.responseStatus'
1
{
  "authorization.k8s.io/decision": "allow",
  "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:dns-autoscaler\" of ClusterRole \"system:dns-autoscaler\" to ServiceAccount \"dns-autoscaler/kube-system\""
}
{
  "metadata": {},
  "code": 200
}

When searching, we’ve noticed that it works while searching by ‘responseStatus’ field:

% curl opensearch/k8s-audit-2025.30/_search -d'{"query":{"match":{"responseStatus":"200"}}}' | jq .hits.total.value
10000

However, it won’t search by ‘annotations’ field:

% curl opensearch/k8s-audit-2025.30/_search -d'{"query":{"match":{"annotations":"allowed by"}}}' | jq .hits.total.value
0
% curl opensearch/k8s-audit-2025.30/_search -d'{"query":{"match_phrase":{"annotations":"allowed by"}}}' | jq .hits.total.value
0

Configuration:

Nothing special, just cluster with some data nodes, some master nodes etc.

Relevant Logs or Screenshots:
All output in description.

Anthony · July 28, 2025, 2:19pm

@rlevitsky The fields inside the flat_object are not indexed, therefore you will not be able to search using “allowed by”, you would need to use something like a wildcard search, see below:

GET k8s-audit-2025.30/_search
{
  "query": {
    "wildcard": {
      "annotations": {
        "value": "*allowed by*"
      }
    }
  }
}

However it is stated in the docs that:

Searching for a specific value of a nested field in a document may be inefficient because it may require a full scan of the index, which can be an expensive operation.

rlevitsky · July 28, 2025, 3:23pm

Thank you very much @Anthony!

I forgot that wildcard query exists. You suggestion works brilliantly!

It works properly with curl.

However, I am unable to find a way to use it with Kibana (Opensearch Dashboards) yet and teach users what they have to enter to the query string to search what they want.

Update:
*allowed by* works while annotations:*allowed by* doesn’t.

Anthony · July 28, 2025, 6:31pm

@rlevitsky does this resolve your query? If not how exactly are you using Opensearch Dashboard for this? Is it in the discovery pane?

rlevitsky · August 1, 2025, 6:25am

Thank you very much @Anthony for your effort.

We gave up with flat_object and are moving to text instead, using filters like this to make these records be treated like text in Opensearch:

      if [annotations] { ruby { code => '
          f = event.get("annotations")
          if f.is_a?(Hash)
            event.set("annotations2", f.inspect)
          end
          '
      }}

Topic		Replies	Views
No matches when using terms on object property OpenSearch troubleshoot	6	244	January 30, 2025
Opensearch flat_object aggregations not working OpenSearch troubleshoot	1	414	December 12, 2023
Using Painless in filter with flat_object field type OpenSearch	1	809	February 14, 2024
OpenSearch Java client does not support 'flat_object' field type properly OpenSearch	3	1274	November 8, 2023
"Document contains at least one immense term in field" error when indexing large value in flat_object field OpenSearch	3	2863	May 9, 2024

Flat_object search issue

Related topics