How to create a scripted field with multiple conditions check?

elasticheart · March 24, 2018, 6:26am

Hi,

I am using ELK GA 5.0.0. In my index, I have a string field named name. I want to create a field named category based on the value of name. Below is the pseudo code;

if(name== 'elephant' || name== 'lion' || name== 'rabbit' || name== 'zebra' || name== 'monkey'){
    category = 'animals'
}else if(name== 'tuna' || name== 'whale' || name== 'shark'){
    category = 'fish'
}else if(name== 'cobra' || name== 'viper' || name== 'python' || name== 'mamba'){
    category = 'snake'
}else if(name== 'crocodile' || name== 'alligator'){
    category = 'reptile'
}else if(name== 'butterfly' || name== 'spider' || name== 'beetle' || name== 'bug' || name== 'dragonfly'){
    category = 'insect'
}else if(name== 'parrot' || name== 'eagle' || name== 'crow' || name== 'owl' || name== 'nightingale'){
    category = 'birds'
}else{
    category = 'others'
}

How can I create this field?

Thank you.

Christian_Dahlqvist · March 24, 2018, 12:18pm

I more recent versions you should be able to do this using a scripted field using Painless. Not sure whether but is possible in earlier versions. In general it would however probably be faster and more efficient to add this as a field at index time.

elasticheart · March 24, 2018, 12:20pm

Ok @Christian_Dahlqvist I refered that before, but how to create such a painless rule?

Christian_Dahlqvist · March 24, 2018, 12:22pm

Well, first you probably need to upgrade to Elasticsearch 5.6 or 6.x as Painless is not available in Elasticsearch 5.0.0.

elasticheart · March 24, 2018, 12:25pm

Ok, but previously, I have created fields like;

doc['category.keyword'].value == 'vegetable' || doc['category.keyword'].value == 'meat' ? 1 : 0

This is working fine for me.

Christian_Dahlqvist · March 24, 2018, 12:26pm

Why not simply add this at index time?

elasticheart · March 24, 2018, 12:29pm

Good question

But actually, my logstash is generic and taking much cpu already. Thought of adding this to logsatsh, so that I can easily modify my data accordingly, but there are reasons. My only possible hope is scripted field now, thats y

Christian_Dahlqvist · March 24, 2018, 12:36pm

This blog post provides a good introduction, and actually points out that Painless is available in version 5.0, so I was remembering wrong earlier.

Christian_Dahlqvist · March 24, 2018, 12:57pm

Something like this may work (although I have not tested it):

def birds = ["parrot", "eagle", "crow"]; 
def insects = ["spider", "beatle];
if(birds.contains(doc["name"].value)) { 
    return "bird"; 
} else if (insects.contains(doc["name"].value) { 
    return "insect"; 
} else {
    return "other";
}

elasticheart · March 24, 2018, 1:24pm

Ok. Lemme see.

Topic		Replies	Views
Scripted field using painless - creating new field based on multiple fields Kibana painless	4	2133	March 7, 2022
Help in 'painless scripted field creation' Kibana	3	434	October 3, 2018
Scripted Fields creation issue In Kibana Kibana	2	452	January 16, 2019
How to create a scripted field using wildcard Kibana	6	2525	April 21, 2017
How to check multiple values using if else condition in field and create a new scripted field? Kibana	16	3575	June 11, 2020

How to create a scripted field with multiple conditions check?

Related topics