DocumentationChaosSearch Blog
StatusHome Page

Schema Transformations

You can use the view Schema Transformations to virtually transform and materialize columns for analytics and querying.

Suggest Edits

When creating a view, you can virtually transform the schema of any of the fields within the indexed data structure. The ChaosSearch virtual transformations provide powerful features to create additional or custom view columns while leaving the source indexed data intact and available for different transformations with other views for other users or purposes.

To create a transformation:

  1. While in the create view process, and in the Schema Transformation window, select or search for the column that you want to transform.
  2. Click the gear icon at the right end of the column row. The Schema Transformation window opens.
1738
  1. In the Schema Transformation window, you can select from several predefined transformations.
  2. Select the desired transformation type, and supply any additional content as applicable, then click Save Transform.
2018

The transformation options include the following:

OptionDescription
Materialize with RegexUse a custom regular expression to transform one column into one or more searchable columns with distinct content.
Materialize with JSONPathUse a JSONPath expression to select and transform a field inside a JSON string blob as a materialized column that can be used for filtering and analytics.
Treat as IPFor an IP address that is usually stored as a string value, select Treated as IP to virtually transform that value to an IP data column.
Treat as GeoPointFor geo-location data, treat the content of the indexed data as longitude or latitude geolocation data.
Treat as Isolation KeyFor ChaosSearch object groups that use isolation keys to split the indexed data into tenant-specific or other specific chunks, you can use this transform to specify that a column other than cs_partition_key_# will be used as filtering key to control which chunk(s) of data to include as part of the search results or analytics of this view. The column must contain values that are identical to the isolation key values in the cs_partition_key_# column.
Treat as Nested JSONConfigure a column with JSON string content to support querying with Elastic nested path expressions in a Search Analytics Discover filter or in Elastic API search calls.

The Treat as transforms essentially set the data type for the column to the specified data type for the purposes of visualization and analysis. The Materialize transforms are used to create additional specific columns in the view for analysis and filtering, as described in the following sections.

Regular Expression Transformations

As an example of a Materialize with Regex transformation, if you have a log file with a field that contains a string of web URL data, you might want to transform the field into three virtual/materialized columns that each contain a specific part such as the domain, port, and path components for use with analysis or filtering purposes.

After selecting the URL field and clicking the gear icon to transform it:

  1. Make sure that Materialize with Regex is selected as the transformation.
  2. Type the regular expression pattern to use for each field, such as (\S+[ :])(\d+)(\S+) as an example. See Refinery Transformation Regex for other sample patterns.
  3. Click Add Field to add three fields, and name them domain, port, and path. Make sure that domain and path are STRING types, while port is a NUMBER type.
  4. Click Refresh to update the Preview pane and review the transformation. If there are any errors or changes, you can update the regular expression and/or fields and refresh again.
  5. Click Save Transform when finished.
2704

After saving your transformation changes, the Schema Transformation window shows the transformed fields as in the following example:

1620

JSONPath Transformations

If an indexed data field contains JSON string content, you can use this transformation to specify one or more specific JSON properties as a materialized column for analytics. In many implementations, JSON string content supports only text searching within their content, but the ChaosSearch Materialize with JSONPath transformation allows you to specify a JSON path value to select a property within the JSON string, and to create a materialized column for the view. The JSON string blob remains intact for text searches and other analysis.

After selecting the JSON string field and clicking the gear icon to transform it:

  1. Make sure that Materialize with JSONPath is selected as the transformation.
  2. Click Add Field to create a placeholder for each field that you want to transform.
1439
  1. Type the JSONPath expression pattern to identify each property that you want to materialize as a column. You can use third-party tools such as the online JSON path formatter to create the required JSON path value. In this example, a simple JSNPath is used to isolate the connect:version property as a new column named version.
  2. Click Refresh to update the Preview pane and review the transformation. If there are any errors or changes, you can update the path expression and/or fields and refresh again.
  3. Click Save Transform when finished. The new virtual column shown on the Schema Transformation window.
791

Updated 9 days ago