Painless script query giving error for "message" field and working fine for other fields in filebeats

I have 2 fields of string type in filebeat index:

1. _index = kibana_sample_data_flights
   (This field is marked aggregatable by default)

2. message : 2018-12-21 02:31:31,792;INFO ;XSYD.2.5.0.1a5e8-uye1-9d87-8744-5343db306cd8;1;0;;GETCONFPRO;0;

I want to split by ; and get the timestamp
(This field is marked non-aggregatable by default , i made it as aggregatable)

Now I create a scripted field called firstword (i am splitting the string(message or _index) using underscore as delimiter and getting the firstword)

When i try for _index field, the painless query works as expected:

String[] parts = /_/.split(doc['_index'].value);
return  parts[0]

But When i try for message field, i get error ( 3 of 6 shards failed) when in click on Discover:

String[] parts = /;/.split(doc['message'].value);
return  parts[0]

Furthermore even simple parsing of message field using below query

return doc['message'].value;

is giving same error( 3 of 6 shards failed):

I am beginner to ELK . Can someone please help me resolve this.
Thanks a lot in advance

If you changed it to aggregatable after the data was ingested,this will only apply to further data points that are ingested. You need to set the field as aggregatable in the template before the data is ingested in ES as the aggregation is done at ingest time.

I added new data .Even with that its not working
Do you mean making the field aggregatable is the correct approach to solve above problem ?
I am very new to ELK . Can you please guide me how to set the field aggregatable in the template (by template do you mean filebeat.yml ? ) before the data is ingested .
Should i delete existing index ?
Will be thankful if you can mention the steps .

Can someone please guide how to fix this ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.