Compare different field values in scripted field

ramji · October 3, 2018, 11:07am

Below is the 1st of the document which contains field name "message" which has value in a form of text.

// message Reconciliation for plan 141 - Line 3 is completed

Below is the second document which contains field name "message" which has value as,

// message Reconciliation for plan 141 - Line 3 is Started

Now the requirement is to compare the both of the document field values , if " line 3 is started" and ends with "completed". It has to be returned true and if the message returned as "Line 3 is FAILED", then it has to return false and also in the message you can see that "Plan 141 Line3", The plan number differs and id number keeps changing for different document. This is the scenario in which i have to compare the field values. Let me know if it can be compared even after the number changes also, if not compare only the string values "is started" and "is completed"

Things I tried:

<
def m = /^.*.([a-z]+)$/.matcher(doc['message'].value);
if ( m.matches("Started") ) {
return "true"
} else if ( m.matches("Completed") ){
return "false"
}
else {
return "no match"
}
/>
The above query return an empty array in scripted field in kibana. I don't know why

These things are not returning me what I wanted. I'm missing something.

I tried in painlesscripting in the scripted fields but is not working.

If it cannot be compared with dynamic values, atleast I need to compare the field values "started" and "completed" first.

Marius_Dragomir · October 4, 2018, 11:10am

Some questions about this first:

are you looking for the line completed message in the same document? That should work.
Something like this should be easier to debug:

if (doc['message'].value =~ /Started/) { 
return "true"
} else {
if (doc['message'].value =~ /Completed/) { 
return "false"
} else {return "no match"}
}

ramji · October 5, 2018, 6:00am

No it doesn't work . Still returning empty array. Im looking for lines completed in the different doc but same index. Condition should be like.. if message starts with "Line1 started" and in other document message field should end with "Line1 completed". if the message field contains "Line1 Failed" then it should return as error.

Marius_Dragomir · October 5, 2018, 2:38pm

can you give an example of a doc that should match but i doesn't?

ramji · October 5, 2018, 3:54pm

doc1:
message: Reconciliation for plan 141 - Line 3 is completed

doc2:
message: Reconciliation for plan 141 - Line 3 is started

doc3:
message: Reconciliation for plan 141 - Line 3 is Failed

This is how i will get the logs parsed.
In this case, I need to visualize which is passed, which is started and which is failed.

SO I need to write a query in scripted field in order to visualize.

system · November 2, 2018, 4:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.