rugenl
June 22, 2021, 12:29am
1
I'm trying to create a scripted field but can't get the doc value. I have:
def fpath = doc['winlog.user_data.FilePath'].value;
def first = fpath.indexOf("\\");
def second = first + 1 + fpath.substring(first + 1).indexOf("\\");
def third = second + 1 + fpath.substring(second + 1).indexOf("\\");
return "%USERPROFILE%\\" + fpath.substring(third + 1);
Which gets an error:
"org.elasticsearch.index.fielddata.ScriptDocValues$Strings.getValue(ScriptDocValues.java:503)",
"fpath = doc['winlog.user_data.FilePath'].value;\r\ndef ",
" ^---- HERE"
The error is under the period before value if it doesn't post correctly.
Any ideas? This is on a standard winlogbeat 7.13 template (but in elastic/kibana 7.9.2 system)
spinscale
June 22, 2021, 7:51am
2
please share the full exception/stack trace in a gist.
I assume that there are documents where the field does not exists, but that is just an assumption for now.
rugenl
June 22, 2021, 12:15pm
3
Yes, the field only exists in some docs. I've updated the script to exit if the field doesn't exist and it works now.
The "helpful hint" about the size() trick is at the bottom of the unfriendly stack trace and I hadn't noticed it.
if (doc[winlog.user_data.FilePath'].size() == 0) {
return ''
}
def fpath = doc['winlog.user_data.FilePath'].value;
def first = fpath.indexOf("\\");
def second = first + 1 + fpath.substring(first + 1).indexOf("\\");
def third = second + 1 + fpath.substring(second + 1).indexOf("\\");
return "%USERPROFILE%" + fpath.substring(third);
system
July 20, 2021, 12:16pm
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.