Query time field extraction and pattern capture token filter

michelecappelletti · March 8, 2016, 3:05pm

Hi,
I've found that elasticsearch doesn't support query time field extraction, like splunk for example..:
sourcetype=* POST| rex field=_raw "\"POST (?<url>.*) HTTP\/1\.1\" (?<status_code>[0-9]+) (?<body_size>[0-9]+) (?<response_time>[0-9]+)" | timechart span=1d avg(response_time) by url

and im trying to achieve a workaround: the only thing that i've found in the doc that seems to treat this argument is pattern capture token filter..

https://www.elastic.co/guide/en/elasticsearch/reference/current/analysis-pattern-capture-tokenfilter.html

but i can't really understand how to use it and even if it's really something that can help me in my intent.

So, every suggest is welcome

regards,
Michele

nik9000 · March 8, 2016, 3:23pm

It's an index time thing, not a query time thing.

I don't know splunk but I presume you are looking for some way to extract fields at query time. Elasticsearch's thing for this is script fields particularly the bit about _source. It doesn't support the kind of named regex thing you are using.

Topic		Replies	Views
Post Processing / Field Extraction Kibana	4	2246	June 29, 2019
Search time field extraction Elasticsearch	2	1974	July 6, 2017
Converting Splunk Field Extraction in Logstash Equivalent Logstash	2	1656	July 6, 2017
Query with Date filter Elasticsearch	3	966	February 8, 2018
Time to timestamp issue Logstash	11	1010	February 15, 2018

Query time field extraction and pattern capture token filter

Related topics