Hey everyone, I'm using an ELK stack for our bind (DNS) query logs and would like to create a "Top Domains" visualization which I can almost do with the full 'dns_dest' field. But, I don't want the full URL of the lookup, just the domain name.
Can I use a scripted field to create a new field with the domain? It's just for visualization purposes (I think) so a scripted field might do the trick.
Would it be more efficient to have Logstash do this with a filter?
The flippant answer is yes, this would be more efficient with logstash.
The more considerate answer is the following. You can do that with scripted fields, but you'll want to use the painless or groovy language for that. In Kibana 4, you can only write numerical expressions, so that probably won't help you. In Kibana 5 beta, with painless or groovy, you can do string operations.
So I think it depends. If you can use logstash to parse it out, do that, it will have better performance. If not, Kibana 5 allows you to write scripted fields where you can parse text.
Btw, don't use Groovy, because it deprecated and will be removed in 6.0. Stick with Painless if you decide to do something advanced with scripted fields. If interested, here is a blog that walks you through what to do there: https://www.elastic.co/blog/using-painless-kibana-scripted-fields
However, if you know you need a field ahead of time, just parse it with Logstash. I'd reserve scripted fields for experimentation when the fields you need right now are simply not there, but once they are confirmed as useful, i'd go back to the datasource and index them directly to avoid on-search performance hit.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.