Hello all -- I am curious if kibana is capable of running field extraction queries against data (like splunk) that has already been processed?
Hi dude, I'm not familiar with Splunk's feature set. Could you describe what the output of running the field extraction query would be? Thanks.
So Field extractions can take place within splunk at index time or post processing via patterns. Link : https://docs.splunk.com/Splexicon:Fieldextraction . What I'm referring to is extracting the fields post processing/post index time within elastic. So for instance, if we send data directly to elasticsearch, is there an ability to run post processing queries against the indexed data to structure some fields with them? In splunk we can run rex field extraction function within a query such as : "username:bob dole | rex "PATTERN" to align or associate unparsed fields to a value so that we can refer to them in another piped query. So to extend that previous query we would do something like : "username:bob dole | rex "^.*?(<number1>).....*(<number2>) | count number1,number2". This allows users to process some graphs/process against data that is not parsed against a known pattern. Rex REference : https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Extractfieldswithsearchcommands
Some flexibility is possible through painless and scripted fields but it can quickly get slow and does generally not scale well. Read this blog post for a more detailed discussion.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.