Painless scripted field with regex syntax

Elastic Stack Kibana
1

Hi,
Here is how my massage column (under available fields) looks like:
[2018-07-12 19:02:09.050][][][] TRANS | app | TRANS | [ud.queue.name=UDReplyQueue_][req=HDRA2||MSN| NP**||][exec.time=435][usw.time=435][resp=HDRA2|GDS**|SGA**| UMN*****||]

so I am using following script to get SGA from all records:
def m = \|SGA([^\|]+).matcher(doc["_source"].value);
if ( m.matches() ) {
return m.group(1)
} else {
return "no match"
}

But this is giving me a compile error. Maybe there is something with its syntax. I would appreciate any help. Thanks!

SJ

2

You need to wrap your regex with /s. It should look like

def m = /\|SGA([^\|]+)/.matcher(doc["_source"].value);
if ( m.matches() ) {
return m.group(1)
} else {
return "no match"
}

Also, make sure you have regex enabled, by adding script.painless.regex.enabled: true in your elasticsearch.yml.

2 Likes
3

Thanks Catherine!

image
image.png1471×341 26.2 KB

but even following query is not returning anything:
doc['message.keyword'].value

I do see some content under message field on discover tab but I don't see any thing under this new field. When I try to use regex, it gives me a compile error. Maybe there is something different in that message field.

SJ

4

Instead of accessing doc['message.keyword'].value, does it work with doc['message'].value?

5

I get following error when I use (doc['message'].value) syntax instead:
courier fetch: 1 of 5 shards failed.

This is a very long field though. Maybe 'doc' statement here has a word limitation?

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.