search

elastic / elasticsearch-net

This strongly-typed, client library enables working with Elasticsearch. It is the official client maintained and supported by Elastic.
https://www.elastic.co/guide/en/elasticsearch/client/net-api/current/index.html
Apache License 2.0
17 stars 1.15k forks source link

Elasticsearch.NEST query source filtering does not tolerate fields with different mapping #4892

Closed hmnguyen1201 closed 4 years ago

hmnguyen1201 commented 4 years ago

I am trying to query a field across multiple indices and select the fields using source filter using the query below but the query would fail if field source.port has different mappings in 2 different indices for example source.port == keyword on index a but == integer on index b. How can I make the query more tolerable to this mapping difference?

NEST/Elasticsearch.Net version: 7.6.2 Elasticsearch version: 7.6.2 Description of the problem including expected versus actual behavior:

The error I am getting: Elasticsearch.Net.Utf8Json.JsonParsingException: expected:'Number Token', actual:'"61899"', at offset:175

var searchResults = EsClient.Search(q => q .Source(src => src .Includes(e => e .Fields( p => p.filter.msgSizeBytes, p => p.msg.parsedAddresses.from, p => p.msg.parsedAddresses.to, p => p.msg.normalizedHeader.subject, p => p.envelope.rcpts, p => p.timestamp, p => p.filter.modules.dmarc.filterdResult, p => p.msgParts.detectedExt, p => p.originating_ip, p => p.msg.normalizedHeader, //p => p.Event.time, p => p.host.hostname, p => p.log.level, p => p.log_name, //p => p.Event.id, p => p.process.pid, p => p.process.name, p => p.process.path, p => p.process.args, p => p.process.parent_name, p => p.process.parent_args, p => p.process.parent_path, p => p.process.parent_name, p => p.Event.action, p => p.cisco.reason, p => p.destination.ip, p => p.dns.request.url, p => p.source.port, p => p.source.hostname, p => p.destination.hostname, p => p.source.ip, p => p.url.full ) ) )

hmnguyen1201 commented 4 years ago

I got a suggestion from a friend to initialize fields like source.port and process.pid as object type and that was the fix to my problem. Closing this ticket

russcam commented 4 years ago

Hi @hmnguyen1201, I think the issue here is more generally related to JSON deserialization to a type.

If two different indices contain a mapping with the same field name but a different type e.g. port field with keyword and integer mappings in two different indices, then the type that the _source document returned from each of the indices will be deserialized into must be able to successfully deserialize a string and int into the port property on the type. Using object as the port property type would achieve this.