Extract value from message field ( runtime fields)

stephenb · August 10, 2022, 1:57am

OHHHHH i may have found a way using the _source

However, there are cases where retrieving fields from _source is necessary. For example, text fields do not have doc_values available by default, so you have to retrieve values from _source . In other instances, you might choose to disable doc_values on a specific field.

it will not be efficient and I would not recommend at scale...

Try this as the code in the runtime field

String username=grok('%{GREEDYDATA:leading_data}/CN=%{DATA:username}\'').extract(params._source.message)?.username;
if (username != null) emit(username);

Topic		Replies	Views
Extract logs from the message field and create new separate runtime fields Kibana runtime-fields	20	2011	January 5, 2023
Kibana runtime fields in elastic 8.4.0 Kibana runtime-fields	2	480	January 4, 2023
Extract information from raw messages in KIBANA Kibana	3	7363	January 21, 2020
Extract fields from multiline message Kibana	10	3369	November 21, 2019
Basic runtime fields to pull data from message field Elasticsearch runtime-fields	2	223	May 10, 2024

Extract value from message field ( runtime fields)

Related topics