Issues with elasticsearch table panel



I have manually added the mapping for the index as below


   "threadInfo": {
                "properties": {
                  "indicators": {
                    "type": "nested",
                    "properties": {
                      "applicationName": {
                        "type": "text"
                      "indicatorName": {
                        "type": "text"
                      "sha256Hash": {
                        "type": "text"

But when i check for the field in elasticsearch table panel. it show as below.

Kindly let me know, how to make it work.


could you plz some one let me know the issues ? thanks.


may i know, why i could not use keyword field in table panel ?

For ex:-


{"_id":"wo2yaGoBPzIHdg4Orf2o","_type":"doc","_index":"test_2019.04","@timestamp":["2019-04-29T10:45:01.025Z"],"success":true,"event_msg":"***Preformatted texthas detected a threat against your company.","event_detailedMsg":"The application WmiPrvSE.exe was detected running. A Terminate Policy Action was applied","event_email":"Email: Janewin7\\jane","event_severity":"Severity: Threat","event_url":"","event_name":"Name: Janewin7","event_threadscore":"Threat score: 3","@version":"1","event_incidentid":"Incident id: GWCD1UCR","event_priority":"Threat priority greater than 1","event_ostype":"Type and OS: WINDOWS Windows 10 x64","notifications":[{"threatInfo":{"indicators":[{"indicatorName":"READ_SECURITY_DATA","sha256Hash":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15","applicationName":"WmiPrvSE.exe"},{"indicatorName":"RAM_SCRAPING","sha256Hash":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15","applicationName":"WmiPrvSE.exe"},

Above is the JSON Data. i want to show all the indicatorName in table by accessing the field “notifications.threatInfo.indicators.indicatorName.keyword”. however i can see only the field “notifications.threatInfo.indicators” from table panel but in graph panel, i can see this field “notifications.threatInfo.indicators.indicatorName.keyword”.

Kindly advice. In splunk, i can easily show it in table panel.


Think there’s a limitation of how many levels deep properties are processed. Seems like 3 is the maximum depth looking at the source code. This code is used by the json transformer for the table panel.

I’m guessing that 3 level deep is due to possible performance issues if you have a lot of documents/rows.

Would suggest you open an issue regarding this if this is important for you.