Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add analyzer multi-field capability #1264

Closed
sektorcap opened this issue Feb 16, 2021 · 1 comment · Fixed by #1737
Closed

Add analyzer multi-field capability #1264

sektorcap opened this issue Feb 16, 2021 · 1 comment · Fixed by #1737
Assignees
@kgeller
Labels
enhancement New feature or request ready Issues we'd like to address in the future.

Comments

@sektorcap
Copy link

Summary
Add support for the analyzer in the ECS field definitions.

Example:

- name: url
  title: URL
  description: URL fields provide support for complete or partial URLs, and supports
    the breaking down into scheme, domain, path, and so on.
  type: group
  fields:
  - name: domain
    level: extended
    type: keyword
    ignore_above: 1024
    multi_fields:
    - name: text
      type: text
      analyzer: domain_analyzer
    description: 'Domain of the url, such as "www.elastic.co".

Example ES index template snippet:

      "url": {
        "properties": {
          "domain": {
            "fields": {
              "text": {
                "analyzer": "domain_analyzer",
                "norms": false,
                "type": "text"
              }
            },
            "ignore_above": 1024,
            "type": "keyword"
          },
...

Of course, in the template-setting you should define the analyzer.

{
  "order": 1,
  "index_patterns": [
    "your-ecs-*"
  ],
  "settings": {
    
    "index": {
      "mapping": {
        "total_fields": {
          "limit": "10000"
        }
      },
      "analysis": {
        "analyzer": {
          "domain_analyzer": {
            "type": "pattern",
            "pattern": "\\."
          }
        }
      },
      "refresh_interval": "5s"
    }
  }
}
@sektorcap sektorcap added the enhancement New feature or request label Feb 16, 2021
@ebeahan ebeahan added the ready Issues we'd like to address in the future. label Feb 19, 2021
@kgeller kgeller self-assigned this Apr 19, 2021
@BenB196
Copy link

BenB196 commented Jun 15, 2021

I would like to add another use-case here. Currently url.path is only handled as a keyword, but if you have a long and complex path, and you want to search for paths containing on a specific word(s), you need to resort to wildcard usage. You could use another analyzer like pattern: "/" to parse the paths to be more search friendly.

@kgeller kgeller mentioned this issue Jan 24, 2022
Merged
@kgeller kgeller mentioned this issue Mar 2, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kgeller kgeller

Labels
enhancement New feature or request ready Issues we'd like to address in the future.
Projects
None yet
Milestone
No milestone
4 participants
@sektorcap @ebeahan @BenB196 @kgeller