When querying the ElasticSearch audit index, the available data is pretty limited. Typically you may need to use the document id or path to fetch the actual document in order to get relevant data (like dc:title or file:content.name).
I.e. you may need to perform a "join". Elasticsearch suggests using Application-side joins or denormalizing the data; in fact they recommend denormalizing the data for search performance.
Maybe we could consider adding the document to the index for each audit event? Or a way to link a schema to the event? More info here: https://www.elastic.co/guide/en/elasticsearch/guide/current/denormalization.html
I can understand this might not be desirable for the audit, in terms of index-time performance as well as space. And it's not a customer use case (yet)