How to create a scripted field using wildcard

elasticheart · March 23, 2017, 9:03pm

Hi,

I am using ELK GA 5.0.0. I have manged to create a painless scripted field triggered in Kibana like;

doc['Action'].value == 'PostA' ? 1 : 0

I have some selective actions like Post404, Post200 etc. I cant say the exact names since it increases. What I want is, when my doc['Action'].value has values PostA, PostB,.. etc or GetA, GetB,.. etc, i want doc['Action'].value to be 1, else 0. How can I do this?

Thanks in advance..

cjcenizal · March 23, 2017, 11:47pm

Hey there, I think I have a solution for you... can you try create a scripted field like this:

['PostA', 'PostB', 'PostC'].contains(doc['Action'].value) ? 1 : 0

If you need something more dynamic than a concrete list, you could try using regionMatches to match anything containing a substring:

doc['Action''].value.regionMatches(true, 0, 'Post', 0, 4)

Let me know if this helps!

And I'm pretty sure we have your username trademarked, so expect a letter from our lawyers soon (just kidding!!!!).

Thanks,
CJ

elasticheart · March 24, 2017, 4:42am

Hi @cjcenizal , I need a dynamic solution and in your second solution, I can see only 0, and there is no 1.

I have created the username without knowing that there is a service in that name. I am unable to change it my settings, it is disabled.

cjcenizal · March 24, 2017, 4:55am

Oops, I forgot to add the ternary:

doc['Action''].value.regionMatches(true, 0, 'Post', 0, 4) ? 1 : 0

Do you see what it's doing? It's checking to see if the substring "Post" is in the first four characters of the "Action" field value. You can also take a look at the docs I linked to see how regionMatches works. You could update this for any kind of substring value you're looking for.

I love your username! Please don't change it, I was only joking.

Thanks,
CJ

elasticheart · March 24, 2017, 5:42am

Thank you so much. so lemme keep this username..

@cjcenizal I have one doubt. I have created a scripted field like below;

if (doc['error'].value == 'NONE') { 
  return 0;
}else if (doc['error'].value == 'ERRX') { 
  return 0;
}
return 1;

The value is generated fine, but when I try to filter it + or - , I am getting compilation error in discover. Why is this happening?

cjcenizal · March 24, 2017, 4:37pm

Hmm. What's the name of the scripted field? Could you share the error with me?

Thanks,
CJ

system · April 21, 2017, 4:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.