Override fields with update_per_query

lina1 · December 7, 2020, 1:38pm

Hi,

I am new to elastic search and I am trying to filter and replace some http Status Codes.

I've got error logs like these:
'Error domain: NSURLErrorDomain Code=-1005'

'HTTP 404 not found'

'Error domain: mycompany.ErrorDomain Code=201'

'Error Domain=NSURLErrorDomain Code=-1005 "The network connection was lost." UserInfo={_kCFStreamErrorCodeKey=53, NSUnderlyingError=0x28358a640 {Error Domain=kCFErrorDomainCFNetwork Code=-1005 "(null)" UserInfo={NSErrorPeerAddressKey=<CFData 0x281802580 [0x1e2c23cf0]>{length = 16, capacity = 16, bytes = 0x10021f4017ed9ccb0000000000000000}, _kCFStreamErrorCodeKey=53, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <9ABFF999-25B7-448E-91DC-B4B8A0DF5496>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <9ABFF999-25B7-448E-91DC-B4B8A0DF5496>.<1>"
), NSLocalizedDescription=The network connection was lost., NSErrorFailingURLStringKey=http://stream.a.txlr.net:8000/;, NSErrorFailingURLKey=http://stream.a.txlr.net:8000/;, _kCFStreamErrorDomainKey=1}'

and so on ...

I want to replace these long messages by just showing the errorcodes (404, 1001,... )

I tried grok but I do not really know how to do this and how tho implement that in the console by using POST / ... / update_per_query.

Can someone help me ?

Thanks !

lina1 · December 7, 2020, 2:17pm

I tried this :
POST ude_sess_copy/_update_by_query
{
"script": {
"lang": "painless",
"source": """
if ((ctx._source.httpStatus =~ /HTTP 404/) || (ctx._source.httpStatus =~ /404 Not/) || (ctx._source.httpStatus =~ /404 File/)){
ctx._source.httpStatus = 404;
} else if (ctx._source.httpStatus =~ /Code=-1005/) {
ctx._source.httpStatus = -1005;
} else if (ctx._source.httpStatus =~ /Code=-1001/) {
ctx._source.httpStatus = -1001;
} else if (ctx._source.httpStatus =~ /Code=201/) {
ctx._source.httpStatus = 201;
} else if (ctx._source.httpStatus =~ /Code=-1009/) {
ctx._source.httpStatus = -1009;
} else if ((ctx._source.httpStatus =~ /HTTP 403/) || (ctx._source.httpStatus =~ /403 Forbidden/) || (ctx._source.httpStatus =~ /403 Station/)){
ctx._source.httpStatus = 403;
} else if ((ctx._source.httpStatus =~ /HTTP 503/) || (ctx._source.httpStatus =~ /503 Server/)) {
ctx._source.httpStatus = 503;
} else if (ctx._source.httpStatus =~ /Code=-1004/) {
ctx._source.httpStatus = -1004;
} else if (ctx._source.httpStatus =~ /Code=-1003/) {
ctx._source.httpStatus = -1003;
} else if (ctx._source.httpStatus =~ /Code=53/) {
ctx._source.httpStatus = 53;
} else if (ctx._source.httpStatus =~ /502 Bad/) {
ctx._source.httpStatus = 502;
} else if (ctx._source.httpStatus =~ /401 Unauthorized/) {
ctx._source.httpStatus = -1004;
}
"""
}

But I got the error "Regexes are disabled. Set [script.painless.regex.enabled] to [true] in elasticsearch.yaml to allow them. Be careful though, regexes break out of Painless's protection against deep recursion and long loops." So it would be better to not disable them right ?

system · January 4, 2021, 2:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.