flatten - OpenSearch Documentation
flatten | OpenSearch Documentation
OpenSearch
About
Releases
Roadmap
FAQ
Platform
Observability
Security Analytics
Vector Database
Playground Demo
Performance Benchmarks
Community
Forum
Slack
Events
Solutions Providers
Projects
Members
Documentation
OpenSearch and Dashboards
Data Prepper
Clients
Benchmark
Migration Assistant
Blog
Documentation
flatten
The
flatten
command converts a struct or object field into individual fields within a document.
The resulting flattened fields are ordered lexicographically by their original key names. For example, if a struct contains the keys
, and
, the flattened fields are ordered as
flatten
should not be applied to arrays. To expand an array field into multiple rows, use the
expand
command. Note that arrays can be stored in non-array fields in OpenSearch; when flattening a field that contains a nested array, only the first element of the array is flattened.
Syntax
The
flatten
command has the following syntax:
flatten
field
as
alias
list
)]
Parameters
The
flatten
command supports the following parameters.
Parameter
Required/Optional
Description
Required
The field to be flattened. Only object and nested fields are supported.
Optional
A list of names to use instead of the original key names, separated by commas. If specifying more than one alias, enclose the list in parentheses. The number of aliases must match the number of keys in the struct, and the aliases must follow the lexicographical order of the corresponding original keys.
Example: Flatten an object field using aliases
Given the following index
my-index
"message"
:{
"info"
"a"
"author"
"e"
"dayOfWeek"
},
"myNum"
"message"
:{
"info"
"b"
"author"
"f"
"dayOfWeek"
},
"myNum"
with the following mapping:
"mappings"
"properties"
"message"
"type"
"object"
"properties"
"info"
"type"
"keyword"
"index"
"true"
},
"author"
"type"
"keyword"
"fields"
"keyword"
"type"
"keyword"
"ignore_above"
256
},
"index"
"true"
},
"dayOfWeek"
"type"
"long"
},
"myNum"
"type"
"long"
The following query flattens a
message
object field and uses aliases to rename the flattened fields to
creator, dow, info
source
my
index
flatten
message
as
creator
dow
info
copy
The query returns the following results:
message
myNum
creator
dow
info
{“info”:”a”,”author”:”e”,”dayOfWeek”:1}
{“info”:”b”,”author”:”f”,”dayOfWeek”:2}
Limitations
The
flatten
command has the following limitations:
The
flatten
command may not function as expected if the fields to be flattened are not visible. For example, in the query
source=my-index | fields message | flatten message
, the
flatten message
command fails to execute as expected because some flattened fields, such as
message.info
and
message.author
, are hidden after the
fields message
command. As an alternative, use
source=my-index | flatten message
Syntax
Parameters
Example: Flatten an object field using aliases
Limitations
WAS THIS PAGE HELPFUL?
✔ Yes
✖ No
Tell us why
350 characters left
Thank you for your feedback!
Have a question?
Ask us on the OpenSearch forum
Want to contribute?
Edit this page
or
create an issue
OpenSearch Links
Get Involved
Code of Conduct
Forum
GitHub
Slack
Resources
About
Release Schedule
Maintenance Policy
FAQ
Testimonials
Trademark and Brand Policy
Connect
Meetup
Copyright © OpenSearch Project a Series of LF Projects, LLC
For web site terms of use, trademark policy and other project policies please see
US