How to search substring from log field using the scripted fields in painless without regex

I am trying to create to some scripted fields using painless by capturing some "keyword" in the log field, which is a long text field. for example, I have bunch of the log fields:

"Error: Duplicate entry in user1"

"Error: Duplicate entry in user2"

"Error: Duplicate entry in user1"

"Error: Duplicate entry in user3"

"Error: Duplicate entry in user2"

"Error: Duplicate entry in user1"

"Error: Duplicate entry in user3"

The painless I was using:

if (doc['log.keyword'].value == 'Duplicate entry') {
return "match";
}
return "No match";

to only capture the "Duplicate entry" error message regardless of userID, I am sure I need to use regex to do that. I am just wondering if there is another way to do it without using the regex. Any suggestions.

you can use .substring just like it's used in Java and then check to see if it's bigger or equal to 0. if it's it, there's a match.

Reviewing the Painless API Reference suggests that there is a String.Contains(CharSequence) function. Haven't tried it, but looks like exactly what you need.

Depending on data volumes, extracting for every document for every query might get slow and computationally expensive. If this is the case you might be better off performing this work at index time and store the result in a separate, real field.

Hi Marius. Thanks for the reply, as you suggest to use .substring. I did not see the documentation about if it will return 0 or non-zero.

Hi dpr. Thanks for the reply.I use the the script like this:

doc['log.keyword'].value.contains('Error')

It doesnt work. However, I just simply display all log messages using

doc['log.keyword'].value

It works, I am pretty sure the log messages have word "Error", I did not capture that. do you know what the issue is? Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.