In the implementation of the Audit logging service ElasticSearch handler with AM, the json format uses a nested array to report "entries" for each transaction. The client's IP address is included in these entries. Due to this implementation, it is not possible to create visualisations that include this field in Kibana which does not support parsing of nested arrays.
An ability to manipulate the json structure or implement it in a way that allows Kibana to parse the field would address this issue.
This possible enhancement was identified as a requirement to trace failing authentications by IP address is not currently possible with AM, Elasticsearch and Kibana integration.