Painless, if two field exists then calculate

Elastic Stack Kibana
1

I create painless script:

if (doc.containsKey('request.timestamp') && doc.containsKey('response.timestamp')) { return (doc['response.timestamp'].value - doc['request.timestamp'].value) } return null;

It's mean that if field: request.timestamp and response.timestamp exists, then calculate the time difference. If not, return null.
But after I save this on kibana "scripted field" I got an error: "Courier Fetch: 9 of 27 shards failed."

Where am I wrong?

3 Likes
2

Hi,

Can you please post the full error log which you see on the screen and if there is any in Kibana and elastic logs?

Thanks,
Bhavya

3

Hi, @bhavyarm
On kibana I see an only warning message:

Screenshot%20at%202018-00-30%2010-00-42
Screenshot at 2018-00-30 10-00-42.png1903×78 9.21 KB

On console kibana I cannot see error logs, but in elasticsearch I see:

[2018-01-30T07:56:31,984][WARN ][o.e.d.c.ParseField       ] Deprecated field [inline] used, expected [source] instead
[2018-01-30T07:56:31,984][WARN ][o.e.d.c.ParseField       ] Deprecated field [inline] used, expected [source] instead
[2018-01-30T07:56:31,984][WARN ][o.e.d.c.ParseField       ] Deprecated field [inline] used, expected [source] instead
[2018-01-30T07:56:31,984][WARN ][o.e.d.c.ParseField       ] Deprecated field [inline] used, expected [source] instead
[2018-01-30T07:56:31,985][WARN ][o.e.d.c.ParseField       ] Deprecated field [inline] used, expected [source] instead
[2018-01-30T07:56:31,985][WARN ][o.e.d.c.ParseField       ] Deprecated field [inline] used, expected [source] instead
[2018-01-30T07:56:31,985][WARN ][o.e.d.c.ParseField       ] Deprecated field [inline] used, expected [source] instead

p.s this happened after I upgraded ES to 6.1.1
this painless script works fine now on version ES 5.5.1

4

Hi,

I am not quite sure whats happening here. I think there is a bug in here. I will keep you posted.

Cheers,
Bhavya

5

Ok I thoroughly tested scripted fields just now and am not hitting any bug or the error. Can you please check if your field's types are defined correctly in when you created them?

scripted_field
scripted_field.jpg2560×1600 1.18 MB

Thanks,
Bhavya

6

Hi,
I open the same event on two different ELK (5.5.1 and 6.1.1) on kibana and switch to "json" view:

Screenshot%20at%202018-56-30%2016-56-18
Screenshot at 2018-56-30 16-56-18.png737×414 30.6 KB

all timestamp fields for version 6.1.1 have a format "text" for version 5.1.1 have format "Unix time". Fields have the same look and same type = date, difference only in "json" view.
for my script, I chose type =number, Format = Number.
this works on es 5.5.1

7

OK! I resolved my problem:
if (!doc['response.timestamp'].empty && !doc['request.timestamp'].empty) { return (doc['response.timestamp'].date.millisOfDay - doc['request.timestamp'].date.millisOfDay)} else { return null;}

:star_struck:

thank you @bhavyarm for your attention

9 Likes
8

Thank you for keeping us posted here. It's very helpful for the community!

Cheers,
Bhavya

2 Likes
9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.