Issues with elasticsearch table panel

#1

Hi,

I have manually added the mapping for the index as below

FYI:-

   "threadInfo": {
                "properties": {
                  "indicators": {
                    "type": "nested",
                    "properties": {
                      "applicationName": {
                        "type": "text"
                      },
                      "indicatorName": {
                        "type": "text"
                      },
                      "sha256Hash": {
                        "type": "text"
                      }
                    }
                  }
                }

But when i check for the field in elasticsearch table panel. it show as below.

Kindly let me know, how to make it work.

#2

could you plz some one let me know the issues ? thanks.

#3

may i know, why i could not use keyword field in table panel ?

For ex:-
indicators.keyword

#4

{"_id":"wo2yaGoBPzIHdg4Orf2o","_type":"doc","_index":"test_2019.04","@timestamp":["2019-04-29T10:45:01.025Z"],"success":true,"event_msg":"***Preformatted texthas detected a threat against your company.","event_detailedMsg":"The application WmiPrvSE.exe was detected running. A Terminate Policy Action was applied","event_email":"Email: Janewin7\\jane","event_severity":"Severity: Threat","event_url":"https://defense-prod05.conferdeploy.net#device/663442/incident/GWCD1UCR","event_name":"Name: Janewin7","event_threadscore":"Threat score: 3","@version":"1","event_incidentid":"Incident id: GWCD1UCR","event_priority":"Threat priority greater than 1","event_ostype":"Type and OS: WINDOWS Windows 10 x64","notifications":[{"threatInfo":{"indicators":[{"indicatorName":"READ_SECURITY_DATA","sha256Hash":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15","applicationName":"WmiPrvSE.exe"},{"indicatorName":"RAM_SCRAPING","sha256Hash":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15","applicationName":"WmiPrvSE.exe"},

Above is the JSON Data. i want to show all the indicatorName in table by accessing the field “notifications.threatInfo.indicators.indicatorName.keyword”. however i can see only the field “notifications.threatInfo.indicators” from table panel but in graph panel, i can see this field “notifications.threatInfo.indicators.indicatorName.keyword”.

Kindly advice. In splunk, i can easily show it in table panel.

#5

Think there’s a limitation of how many levels deep properties are processed. Seems like 3 is the maximum depth looking at the source code. This code is used by the json transformer for the table panel.

I’m guessing that 3 level deep is due to possible performance issues if you have a lot of documents/rows.

Would suggest you open an issue regarding this if this is important for you.