Is there any way to create an additional field without using Scripted field and Logstash?

elasticheart · July 2, 2018, 9:20am

Hi,

I am using ELK GA 6.3.0. In my index, there is a number attribute, currently taking as string. To perform aggregations, I have created a number scripted field like;

return doc['field_a'].value;

This works fine, but utilizes CPU. Is there any way to achieve the same, more efficiently, and without using Logstash?

Thanks.

Christian_Dahlqvist · July 2, 2018, 9:56am

Yes, you can reindex your data and add a new field with correct mapping using the reindex API together with a script or ingest pipeline. To add this on the ingest side for new data, create an ingest pipeline for this as well.

elasticheart · July 2, 2018, 11:17am

Thank you @Christian_Dahlqvist . Could you kindly show me some code to create a pipeline which convert string data in field_a to a number, and store it in field_b in the index my_index-*?

Thanks.

Christian_Dahlqvist · July 2, 2018, 11:42am

Try a pipeline with e.g. a grok processor:

{
  "processors" : [
    {
      "grok": {
        "field": "field_a",
        "patterns": ["%{NUMBER:field_b:int}"]
      }
    }
  ]
}

elasticheart · July 2, 2018, 11:43am

Thanks Christian

system · July 30, 2018, 11:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.