Empty output when extracting field

sigizmynd · June 17, 2022, 1:08pm

Hello
I want to extract some value from my log:
{
"_index": ".ds-filebeat-8.2.2-2022.06.14-000002",
"_id": "veGbcYEBr3mqBf4wJF1j",
"_version": 1,
"_score": null,
"fields": {
"host.os.name.text": [
"AlmaLinux"
],
"host.hostname": [
"localhost.localdomain"
],
"host.mac": [
""
],
"host.ip": [
"",
"fe80::250:56ff:fe9e:76b6"
],
"agent.type": [
"filebeat"
],
"host.os.version": [
"8.6 (Sky Tiger)"
],
"host.os.kernel": [
"4.18.0-372.9.1.el8.x86_64"
],
"host.os.name": [
"AlmaLinux"
],
"agent.name": [
"localhost.localdomain"
],
"host.name": [
"localhost.localdomain"
],
"host.id": [
"8997582ec6f242adb08b9a207df15268"
],
"event.timezone": [
"+03:00"
],
"host.os.type": [
"linux"
],
"input.type": [
"filestream"
],
"log.offset": [
8087958
],
"agent.hostname": [
"localhost.localdomain"
],
"message": [
"Jun 17 15:19:57 ****** date=2022-06-17 time=15:19:57 device_id=***** log_id=**** type=attack subtype=fw pri=warning vd=data msg_id=**** count=1 proto=6 src="" src_port=48795 dst="" dst_port=38274 inif="" outif="lo" policy="" action="deny" srccountry="" dstcountry="" msg="none""
],
"host.architecture": [
"x86_64"
],
"@timestamp": [
"2022-06-17T12:20:01.497Z"
],
"agent.id": [
"2b6d7134-0c6d-4752-a0f0-02d4ab0bfcf5"
],
"ecs.version": [
"8.0.0"
],
"host.containerized": [
false
],
"host.os.platform": [
"almalinux"
],
"log.file.path": [
"******"
],
"agent.ephemeral_id": [
"2fb2a119-a1b5-4eac-8d75-1399bc0299db"
],
"agent.version": [
"8.2.2"
],
"host.os.family": [
""
]
},
"sort": [
1655468401497
]
}

When i write Painless script (from add field), i recieve empty output
def path = doc["message"].value.splitOnToken('"');
emit(path[1]);
But if I open Painless debug, and write
def t = path.splitOnToken('"');
return(t[1]);
I recieve normal value.
Where is error?

Tomo_M · June 20, 2022, 9:09am

What is the field type of message? Doc_values store only columnar field values and text fields are not stored by default. Script fields can access text fields by params._source.message.

sigizmynd · June 20, 2022, 10:04am

Message is text-field. params._source.message not show value.
How use script-filed in Create-field-page?

Tomo_M · June 20, 2022, 12:41pm

Are you using version 8? If so, script fields for index pattern are deprecated in 7.13 and there are runtime fields for data views, sorry. These links will help you.

Anyway, params._source.message should work fine. In my environment of 7.17, params._source.agent worked fine for a text field in kibana_sample_data_logs.

sigizmynd · June 20, 2022, 1:03pm

It is really work on 8.2. Thank You

sigizmynd · June 20, 2022, 1:27pm

Sorry, one more question, how can I check for size (if not null)?
def path=params._source.message.size();
emit(path)
Retirn "Value not set

sigizmynd · June 23, 2022, 12:24pm

I've done it
if(params._source.message != null)
{
def path=params._source.message;
def t = path.splitOnToken('"');
emit(t[1]);

}

system · July 21, 2022, 12:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.