metron-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laurens Vets <laur...@daemon.be>
Subject elasticsearch template question.
Date Wed, 07 Feb 2018 01:26:02 GMT
I hope there's an elasticsearch expert on the mailing list :D

I have a field called "responseElements:subnets" which can either 
contain:

{
   "subnetIdentifier": "subnet-abcdefgh",
   "subnetStatus": "Active",
   "subnetAvailabilityZone": {
     "name": "us-west-2c"
   }
},
{
   "subnetIdentifier": "subnet-12345678",
   "subnetStatus": "Active",
   "subnetAvailabilityZone": {
     "name": "us-west-2b"
   }
}

or:

subnet-abcdefgh, subnet-12345678, subnet-a1b2c3d4

Any idea how I can map this in my template?

For the first case, I got:

"responseElements:subnets": {
   "type": "nested",
   "properties": {
     "subnetIdentifier": { "type": "string"  },
     "subnetStatus": { "type": "string"  },
     "subnetAvailabilityZone": {
       "type": "nested",
       "properties": {
         "name": { "type": "string" } } } } }

But how can I map the 2nd case?

Mime
View raw message