Extract value from message field ( runtime fields)

stephenb · August 10, 2022, 1:57am

OHHHHH i may have found a way using the _source

However, there are cases where retrieving fields from _source is necessary. For example, text fields do not have doc_values available by default, so you have to retrieve values from _source . In other instances, you might choose to disable doc_values on a specific field.

it will not be efficient and I would not recommend at scale...

Try this as the code in the runtime field

String username=grok('%{GREEDYDATA:leading_data}/CN=%{DATA:username}\'').extract(params._source.message)?.username;
if (username != null) emit(username);

Topic		Replies	Views
Basic runtime fields to pull data from message field Elasticsearch runtime-fields	2	161	May 10, 2024
Extracting substring from a field Kibana runtime	5	193	July 7, 2024
Runtime field kibana Elasticsearch runtime-fields	2	703	March 1, 2023
Extract logs from the message field and create new separate runtime fields Kibana runtime-fields	20	1577	January 5, 2023
Extracting fields from existing message field in windows logs Logstash	4	505	January 11, 2022

Extract value from message field ( runtime fields)

Related topics