Painless search

Elastic Stack Kibana
1

Hi,

I'm trying to use painless script for extracting data from a cisco message. I know that you will tell me that better indexing from start with a new asa patter but for now I need urgently extract data

The message string is

Mar 31 22:57:07 fortinet.xxx.com %ASA-4-113019: Group = XXXX_Users, Username = XXXXXX, IP = 000.000.000.000, Session disconnected. Session Type: SSL, Duration: 4h:05m:16s, Bytes xmt: 7035523, Bytes rcv: 4277273, Reason: Idle Timeout, Session Type: SSL, Duration: 4h:05m:16s, Bytes xmt: 7035523, Bytes rcv: 4277273, Reason: Idle Timeout

And I will extract Duration in seconds

I've tried

def t = /^.*Duration\\: ([0-9]+)h\\:([0-9]+)m\\:([0-9]+)s/.matcher(doc['message.keyword'].value);
if ( t != null ) {
   return (Integer.parseInt((t.group(1)) * 60 * 60) + (Integer.parseInt(t.group(2)) * 60) + Integer.parseInt(t.group(3)))
} else {
   return 0
}

But always get 0. Also if I only put one \ before : I get error

Any idea?

Rgds,
Jaume.

2

Hi, I've checked the syntax and rewriting it like that should work: (try with both message or message.keyword

def t = /^.*Duration\: ([0-9]+)h\:([0-9]+)m\:([0-9]+)s/.matcher(doc['message'].value);
if (t.find()) {
   return Integer.parseInt(t.group(1))* 60 * 60 + Integer.parseInt(t.group(2)) * 60 +  Integer.parseInt(t.group(3))
} else {
   return 0
}
3

Hi,

Thanks for your reply, finally I got working with the following syntax on dev tools

GET filebeat-*/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "query_string": {
            "query": "event.action: disconnected AND (message: User Requested OR message : timeout)"
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-100d",
			        "lte": "now"
            }
          }
        }
      ]
    }
  },
 "script_fields": {
   "sc-duration": {
     "script": {
       "lang": "painless",
       "source": "def t = /^.*Duration\\: ([0-9]+)h\\:([0-9]+)m\\:([0-9]+)s/.matcher(doc['message.keyword'].value); if (t.find()) { return Integer.parseInt(t.group(1))* 60 * 60 + Integer.parseInt(t.group(2)) * 60 + Integer.parseInt(t.group(3)) } else { return 0 }"
     }
   }
 }
}

But when I go to create the index pattern I only get blank results.
What I put on the script index is

def t = /^.*Duration\\: ([0-9]+)h\\:([0-9]+)m\\:([0-9]+)s/.matcher(doc['message.keyword'].value);
if (t.find()) {
   return Integer.parseInt(t.group(1))* 60 * 60 + Integer.parseInt(t.group(2)) * 60 +  Integer.parseInt(t.group(3))
} else {
   return 0
}

Any idea why it's working on devtools but it could not generate the script field?

thks in advance