I need to log http requests and responses from various end points. requests and responses are in json format but the payloads could be completely different.
There will be millions of logs and will be queried very sparsely. Cost is more important than performance.
What is the best mapping property type for such kind of free form json fields, nested or object?
Elastic created a specific mapping type for this kind of need in 7.14, which is called match_only_text, you can read more about the how's and why's in their blog article.
The main objective of match_only_text was to trade scoring and efficiency of positional queries for space efficiency, in other terms the same body of text is stored more efficiently and uses less space (your main concern was cost!), while still allowing your to query the payload the same way as if it was indexed using a text field.
