Query time field extraction and pattern capture token filter

Elastic Stack Elasticsearch
1

Hi,
I've found that elasticsearch doesn't support query time field extraction, like splunk for example..:
sourcetype=* POST| rex field=_raw "\"POST (?<url>.*) HTTP\/1\.1\" (?<status_code>[0-9]+) (?<body_size>[0-9]+) (?<response_time>[0-9]+)" | timechart span=1d avg(response_time) by url

and im trying to achieve a workaround: the only thing that i've found in the doc that seems to treat this argument is pattern capture token filter..

https://www.elastic.co/guide/en/elasticsearch/reference/current/analysis-pattern-capture-tokenfilter.html

but i can't really understand how to use it and even if it's really something that can help me in my intent.

So, every suggest is welcome

regards,
Michele

2

It's an index time thing, not a query time thing.

I don't know splunk but I presume you are looking for some way to extract fields at query time. Elasticsearch's thing for this is script fields particularly the bit about _source. It doesn't support the kind of named regex thing you are using.