I have a string field message in filebeats index
message : "2018-12-07 00:42:57,797;INFO ;ATDSDSFCMTWB03.6612.38.0.0a7eec05-287d-462e-b2b5-bab666ee33e6;1;0;;GetSiteDetailsHandler;2;"
I need to split the string & extract the last integer(which is 2 here) and assign it to a new field .
I know we need to use scripted field(painless script) for this case .
Can someone please suggest painless script query to do this.
I would suggest you split up the message while ingesting events using Filebeat into Elasticsearch. To do this, you will first want to define an Elasticsearch Ingest Node pipeline with the right sequence of processors to perform the splitting of the message field and extraction of the last field from the resulting array. Then you will want to reference this pipeline in your filebeat.yml via the output.elasticsearch.pipeline setting.
To learn more, start with these docs: https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ingest-node.html and https://www.elastic.co/guide/en/elasticsearch/reference/current/split-processor.html.
Thanks I will try this .
Could you please answer this question
https://discuss.elastic.co/t/automatically-delete-1-month-old-documents-without-deleting-index-in-elastic-search-kibana/160041/2
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.