Parse a Json Field in a visualization

Kharma · January 24, 2018, 6:54pm

I have a large group of data in Kibana that takes the form of below:

// C:\Users*\AppData\Local\FluxSoftware\Flux\flux.exe
// C:\Users*\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Where * is a username. I would like to track the count of each of these files based on the hostnames associated (in the same log) and return all files (not including path, so "flux.exe" or "OneDriveStandaloneUpdater.exe") that are found on 3 or less unique hosts.

The issue I am having is determining a way to filter C:\Users*\AppData\Local\FluxSoftware\Flux\flux.exe down to "flux.exe" to be able to create a visualization on it. Is there a good way to do this inside of kibana?

Nathan_Reese · January 24, 2018, 7:35pm

You could try to create a scripted field to extract the the path but the better solution is to exact the path during ingest.

Kharma · January 24, 2018, 10:13pm

Hello Nathan,

Thank you for the quick response. After reading about Scripted fields it appears that it is only used for Computational data and doesn't allow me to split a field (essentially). Allowing data to be manipulated inside of Kibana seems like it would be a pretty common use case.

system · February 21, 2018, 10:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

LeeDr · February 22, 2018, 11:51pm

Looks like @Nathan_Reese missed you're response. Actually scripted fields using the painless scripting language can parse and manipulate strings. If you still need help with it let me know.

Regards,
Lee

LeeDr · February 23, 2018, 12:58am

There's actually a similar example if getting the last \ in a path here;