we have csv file which contains data(basically events data from different sources) and it has one field named Body. we have uploaded those file data into elasticsearch index. the Body field has multiple lines and it has "host" word then followed by "host name". each document has host word but hostname is different. I can run queries in Kibana to find out the Body has "host" . But I need to run query to store the hostname value into one field and need to apply aggregation(group by) on hostname. can you please let me know is it possible to create query to search for "host" word in body field then store next word of host ie hostname to different field then apply group by on that new stored field ?
Sounds like you still need to do more parsing, prior to indexing, to parse the Body field and extract the value for both host and hostname. There are two ways here:
- If you can just ingest the data again, then either use Logstash with grok or Ingest Pipeline also with grok to parse this
Body. - If you can't ingest anymore, then reindex into a new index using the Reindex API and a script to parse this
Body.
After this reprocessing you may be able to do more detailes queries over your data.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.