Mapping; extract substring from URL as its own field

Out logging contains all URLs that comes in to our server
Now in the full URL is in the "message" field

I would like to extract "orders" from "http://server/api/orders?"
This way I will be able to easily group by this when I do aggregation which would otherwise not be possible

Can this be done with elastic mapping ?
or does this have to happen before the mapping ?


you may want to check out the ingest node in combination with the dissect processor

POST _ingest/pipeline/_simulate
  "pipeline": {
    "processors": [
        "dissect": {
          "field": "input",
          "pattern": "%{url}?%{param_string}"
  "docs": [
    {"_source" : { "input" : "" } }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.