Extracting data from _source document in ElasticSearch results with jq

To describe in your jq query how to navigate in the document to the data you want to extract might look like the following:

jq -r '.hits.hits[]._source.customer_name'

In this case, the output is:

Timbuktu IncBunnies Inc

To generate a key/value CSV, one might use:

jq -r '.hits.hits[]._source | to_entries | .[] | [.key, .value] | @csv'

...with output:

"customer_app_version","el7.20150513""customer_num_apps",3"app_memory_capacity_bytes",405248409600"customer_name","Timbuktu Inc""app_disk_size_bytes",25117047875604"customer_app_version","el4.20150513""customer_num_apps",34"app_memory_capacity_bytes",58923439600"customer_name","Bunnies Inc""app_disk_size_bytes",36517984275604

If you want customer name to be a column of its own, this might instead be:

jq -r '.hits.hits[]._source | .customer_name as $name | del(.customer_name) | to_entries | .[] | [$name, .key, .value] | @csv'

...with output:

"Timbuktu Inc","customer_app_version","el7.20150513""Timbuktu Inc","customer_num_apps",3"Timbuktu Inc","app_memory_capacity_bytes",405248409600"Timbuktu Inc","app_disk_size_bytes",25117047875604"Bunnies Inc","customer_app_version","el4.20150513""Bunnies Inc","customer_num_apps",34"Bunnies Inc","app_memory_capacity_bytes",58923439600"Bunnies Inc","app_disk_size_bytes",36517984275604

If you're willing to hardcode the column names, consider instead:

jq -r '.hits.hits[]._source | [.customer_name, .customer_app_version, .customer_num_apps, .app_memory_capacity_bytes, .app_disk_size_bytes] | @csv'

with output:

"Timbuktu Inc","el7.20150513",3,405248409600,25117047875604"Bunnies Inc","el4.20150513",34,58923439600,36517984275604