Extract value from message field ( runtime fields)

Elastic Stack Elasticsearch
23

@jplopezy Look

OHHHHH i may have found a way using the _source

However, there are cases where retrieving fields from _source is necessary. For example, text fields do not have doc_values available by default, so you have to retrieve values from _source . In other instances, you might choose to disable doc_values on a specific field.

it will not be efficient and I would not recommend at scale...

Try this as the code in the runtime field

String username=grok('%{GREEDYDATA:leading_data}/CN=%{DATA:username}\'').extract(params._source.message)?.username;
if (username != null) emit(username);
1 Like