Extract value from message field ( runtime fields)

stephenb · August 10, 2022, 1:57am

OHHHHH i may have found a way using the _source

However, there are cases where retrieving fields from _source is necessary. For example, text fields do not have doc_values available by default, so you have to retrieve values from _source . In other instances, you might choose to disable doc_values on a specific field.

it will not be efficient and I would not recommend at scale...

Try this as the code in the runtime field

String username=grok('%{GREEDYDATA:leading_data}/CN=%{DATA:username}\'').extract(params._source.message)?.username;
if (username != null) emit(username);

Topic		Replies	Views
Extracting substring from a field Kibana runtime	5	156	July 7, 2024
Parse logs Trent Micro Email Security Elasticsearch	5	93	June 28, 2024
Extracting the JSON fields from the message Logstash	10	27989	May 5, 2020
Help needed for scripting for runtime fields Kibana	27	1975	April 4, 2023
Logstash : How to extract a nested field from Json log and only index the content of the nested field Logstash	6	1728	November 24, 2022

Extract value from message field ( runtime fields)

Related Topics