https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12958
--- Comment #39 from Christoph Wurm <w...@elastic.co> ---
Currently it looks like this:
"timestamp": "1331901000000",
"layers": {
"frame": {
"frame_frame_encap_type": "1",
"frame_frame_time": "Mar 16, 2012 05:30:00.000000000 PDT"
In Kibana, the first field name will be displayed as
"layers.frame.frame_frame_encap_type" (nesting has the same effect as using
dots in field names).
What I think it should look like is:
"timestamp": 1331901000000,
"frame.encap_type": 1,
"frame.time": "Mar 16, 2012 05:30:00.000000000 PDT"
The field names can be what they are in the Display Filter Reference at
https://www.wireshark.org/docs/dfref/.
Additionally:
1) There should never be any duplicate JSON keys - the upcoming Elasticsearch
6.0 will refuse to index such documents (and in ES 5.x it will overwrite
values). Keys with more than one value should represent their values as arrays.
2) If at all possible, numeric fields should have their values represented as
such - Elasticsearch will infer the correct data type (e.g.
"frame_frame_number": "1" should be "frame_frame_number": 1 - or rather
"frame.number": 1).
3) "_score" doesn't need to be included in the metadata lines - it is always
null anyway.
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
