Display a Value from a JSON Field

jamiejackson · February 14, 2022, 6:25pm

I see several related forums posts for this but as far as I can tell, nobody had any success.

In Elasticsearch/Kibana 6.7 (AWS-managed, for now). Say I have a field, httpRequest.headers, which has the following contents:

{
  "name": "upgrade-insecure-requests",
  "value": "1"
},
{
  "name": "user-agent",
  "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"
}

I'd like to display the user-agent value in discover, preferably as the field httpRequest.headers.userAgent.

I understand that there's a way to do that on the fly and also a way to do it via a scripted field. However, I'm striking out.

Could you tell me exactly what/where I'd need to type in Discover to do it on the fly?
Could you also tell me exactly how to create it as a scripted field in the Kibana UI?

Thanks!

Tomo_M · February 15, 2022, 5:10pm

If you would update to 7.11 or newer, You may use runtime field. I'm not sure it is possible with 6.7.

Send the following requiest via Dev Tools in Kibana

PUT /test_array/_mapping
{
  "runtime":{
    "userAgent":{
      "type":"keyword",
      "script": {
        "source": "for (map in params._source.headers){if (map['name']=='user-agent'){emit(map['value'])}}"
      }
    }
  }
}

That said, if you need such field, set the value to appropriate field at indexing time is better.

system · March 15, 2022, 5:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.