Manage nested fields in Observability -> Logs -> Explorer

sloan58 · March 25, 2024, 6:21pm

OpenSearch/Dashboards v 2.10.0

I’m getting started with OpenSearch data streams and while viewing the logs for the data stream in Observability Explorer, I’d like to use the host.name property of the log message, but the nested object is being rendered as a string. I’m sure I have something misconfigured but have not found the magic Google query yet.

I have a mapping property set for it:

"host": {
          "properties": {
            "name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            }
          }
        },

Here’s what the json data in Explorer looks like:

The available fields on the left side only show host and not host.name. I’d like to have a field option for host.name instead of just host where all the values contain a stringified object. Is there a configuration change needed somewhere on the index template or mapping? TIA.

pablo · March 27, 2024, 1:35am

@sloan58 How do you ingest the data? Could you share a single document from the source?

sloan58 · March 27, 2024, 8:37am

@pablo thanks for the help. The docs get ingested via API (sent in from Cribl). I created an Index Template and Data Stream and have been using dynamic mapping so far while testing. The nested property is available under “Discover” but not in Observability. It’s like the data needs/wants to be flattened there. I’ve read some posts that allude to that, but haven’t been able to locate any docs that confirm it. Here’s a sample doc for this data stream.

{
    "_index": ".ds-logs-cribl-syslog-000001",
    "_id": "PoqC5Ps3r3rA1tWR",
    "_score": 1,
    "_source": {
        "message": "[WAN_LOCAL-default-D]IN=eth0....",
        "severity": 4,
        "facility": 0,
        "host": {
            "name": "10.1.10.1"
        },
        "appname": "kernel",
        "severityName": "warning",
        "facilityName": "kern",
        "_raw": "<4>Mar 26 18:12:23 kernel: [WAN_LOCAL-default-D]IN=eth0....",
        "cribl_pipe": "open_search",
        "@timestamp": "2024-03-26T18:12:23.000Z"
    }
}

Topic		Replies	Views
Nested objects are not displayed correctly in Discover dashboard Reporting Plugin troubleshoot	3	864	January 17, 2023
Object mapping for [host] tried to parse field [host] as object, but found a concrete value OpenSearch	2	809	October 6, 2023
[Solved] Fluentd/Opensearch - How to ingest nested types? OpenSearch	1	1182	July 7, 2022
Data stream visualization with dynamic mappings OpenSearch Dashboards troubleshoot	4	442	September 20, 2023
Multi field of type `object` and `nested` OpenSearch	3	276	August 22, 2023

Manage nested fields in Observability -> Logs -> Explorer

Related Topics