Pre-index data in ingest pipeline

jjammin92 · July 30, 2021, 9:54pm

Good afternoon,

I have some access style logs with a numeric field "player.score." I'm looking to pre-index these fields to leverage patterns for faster retrieval

The values can range anywhere from 0 to 5000 being the highest. I'm trying to create score ranges, something like:

I'm using a grok processor to do the initial parsing and then trying to implement a script processor to create the ranges.

if (ctx.player.score >=0 && ctx.player.score < 1250 ){
    ctx.player.rating = low_score;
} else if(ctx.player.score >= 1250 && ctx.player.score < 2500 ){
    ctx.player.rating = "medium_score";
} else if(ctx..player.scorel >= 2500 && ctx.player.score <3750 ){
    ctx.player.rating = "high_score";
} else if(ctx..player.scorel >= 3750 && ctx.player.score <=5000 ){
    ctx.player.rating = "best_score";

In the documentation it says that the range field can be used to enrich but it doesn't describe that you actually have to use an enrich processor. This should be enough fi I set the mapping appropriate to keyword for player.rating correct?

stephenb · July 30, 2021, 10:31pm

Hi @jjammin92

You don't need an enrich processor to do what you want unless you wanted to add more fields from another index based on the "low_score" as a "lookup" (BTW you are missing the quotes) etc that is what an enrich processor does... basically a lookup to a reference index and then add fields.

I am not sure which documentation you are referring to... can you share that please?

system · August 27, 2021, 10:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.