Manage nested fields in Observability -> Logs -> Explorer

sloan58 · March 25, 2024, 6:21pm

OpenSearch/Dashboards v 2.10.0

I’m getting started with OpenSearch data streams and while viewing the logs for the data stream in Observability Explorer, I’d like to use the host.name property of the log message, but the nested object is being rendered as a string. I’m sure I have something misconfigured but have not found the magic Google query yet.

I have a mapping property set for it:

"host": {
          "properties": {
            "name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            }
          }
        },

Here’s what the json data in Explorer looks like:

The available fields on the left side only show host and not host.name. I’d like to have a field option for host.name instead of just host where all the values contain a stringified object. Is there a configuration change needed somewhere on the index template or mapping? TIA.

pablo · March 27, 2024, 1:35am

@sloan58 How do you ingest the data? Could you share a single document from the source?

sloan58 · March 27, 2024, 8:37am

@pablo thanks for the help. The docs get ingested via API (sent in from Cribl). I created an Index Template and Data Stream and have been using dynamic mapping so far while testing. The nested property is available under “Discover” but not in Observability. It’s like the data needs/wants to be flattened there. I’ve read some posts that allude to that, but haven’t been able to locate any docs that confirm it. Here’s a sample doc for this data stream.

{
    "_index": ".ds-logs-cribl-syslog-000001",
    "_id": "PoqC5Ps3r3rA1tWR",
    "_score": 1,
    "_source": {
        "message": "[WAN_LOCAL-default-D]IN=eth0....",
        "severity": 4,
        "facility": 0,
        "host": {
            "name": "10.1.10.1"
        },
        "appname": "kernel",
        "severityName": "warning",
        "facilityName": "kern",
        "_raw": "<4>Mar 26 18:12:23 kernel: [WAN_LOCAL-default-D]IN=eth0....",
        "cribl_pipe": "open_search",
        "@timestamp": "2024-03-26T18:12:23.000Z"
    }
}

Topic		Replies	Views
Nested objects are not displayed correctly in Discover dashboard Reporting Plugin troubleshoot	3	1174	January 17, 2023
Data stream visualization with dynamic mappings OpenSearch Dashboards troubleshoot	4	732	September 20, 2023
Fields missing in Observability->Logs, but present in Discover? OpenSearch Dashboards	3	161	August 15, 2024
Object mapping for [host] tried to parse field [host] as object, but found a concrete value OpenSearch	2	1622	October 6, 2023
[Solved] Fluentd/Opensearch - How to ingest nested types? OpenSearch	1	1708	July 7, 2022

Manage nested fields in Observability -> Logs -> Explorer

Related topics