I noticed that in JSON outputs -T json or -T ek, all fields will be an array with 1 value:
{
"_index": "packets-[redacted]",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame.number": [
"1"
],
"frame.time": [
"[redacted]"
],
"eth.src": [
"[redacted]"
],
"eth.dst": [
"[redacted]"
],
"ip.src": [
"[redacted]"
],
"ip.dst": [
"[redacted]"
],
"ip.proto": [
"6"
]
}
}
},
etc
So my questions are:
1) What exactly are "layers" in this context?
2) Why is each field an array of one value (as opposed to not being an array)?