Painless unable to access any field

Alex_Zeleznikov · October 16, 2018, 10:50am

I'm trying to use painless to extract a substring from a field, however it seems painless is unable to access ANY fields.

Tried all of the below and they all fail (and I've checked that the fields exists, it's the default metricbeat fields):

doc.containsKey('docker.container.image.keyword') ? doc['docker.container.image.keyword'].value : 'none'

def image = doc['docker.container.image.keyword'].value;
if (image != null) {
   int lastSlashIndex = image.lastIndexOf(':');
   if (lastSlashIndex > 0) {
   return image.substring(lastSlashIndex+1);
   }
}
return 'none';

Tried with and without keyword, tried filtering the search to documents that contains the specified fields, even a simple doc['beat.name.keyword'].value return "No field found for [beat.name.keyword] in mapping with types []"

rjernst · October 16, 2018, 4:38pm

The error message you past shows a field beat.name.keyword, but your code shows docker.container.image.keyword. This error means the field does not exist in the mappings. So I would start by checking that field exists in your mappings (and note that it must exist in the mappings for all indexes you are searching).

system · November 13, 2018, 4:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.