Display a Value from a JSON Field

Elastic Stack Kibana
1

I see several related forums posts for this but as far as I can tell, nobody had any success.

In Elasticsearch/Kibana 6.7 (AWS-managed, for now). Say I have a field, httpRequest.headers, which has the following contents:

{
  "name": "upgrade-insecure-requests",
  "value": "1"
},
{
  "name": "user-agent",
  "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"
}

I'd like to display the user-agent value in discover, preferably as the field httpRequest.headers.userAgent.

I understand that there's a way to do that on the fly and also a way to do it via a scripted field. However, I'm striking out.

Could you tell me exactly what/where I'd need to type in Discover to do it on the fly?
Could you also tell me exactly how to create it as a scripted field in the Kibana UI?

Thanks!

2

If you would update to 7.11 or newer, You may use runtime field. I'm not sure it is possible with 6.7.

Send the following requiest via Dev Tools in Kibana

PUT /test_array/_mapping
{
  "runtime":{
    "userAgent":{
      "type":"keyword",
      "script": {
        "source": "for (map in params._source.headers){if (map['name']=='user-agent'){emit(map['value'])}}"
      }
    }
  }
}

That said, if you need such field, set the value to appropriate field at indexing time is better.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.