Regex and Aggregations using Painless

Elastic Stack Elasticsearch
1

Hi guys,

I got the following use case that even with the aid of your documentation, I'm not being able to achieve. It goes like this:

Let's suppose that I have this index:
sample_1
Important Note: It's oversimplified just for example sake.

So, Thru the hypothetical Painless scripting below:
sample_2

I'd like to achieve the following aggregation:
sample_3

Any thoughts?

2

You can use a scripted terms aggregation for this.

Given your data has been indexed like this:

POST _bulk
{"index" : {"_index": "my_index", "_type": "doc", "_id": "1"}}
{"category": "BUG", "user": "Peter", "description": "It's a Windows issue bla bla", "date": "2017-01-15"}
{"index" : {"_index": "my_index", "_type": "doc", "_id": "2"}}
{"category": "BUG", "user": "Peter", "description": "It's a Linux and Windows combined issue bla bla", "date": "2017-01-16"}
{"index" : {"_index": "my_index", "_type": "doc", "_id": "3"}}
{"category": "BUG", "user": "Peter", "description": "It's a Linux issue bla bla", "date": "2017-01-17"}

The following aggregation request:

GET my_index/_search
{
  "size": 0,
  "aggs": {
    "Member": {
      "terms": {
        "script": {
          "source": """
            if (doc['description.keyword'].value =~ /.*Linux/) {
              return "Type A";
            }
            else {
              return "Type B"
            }
          """,
          "lang": "painless"
        },
        "size": 10
      }
    }
  }
}

Returns you this:

"Member": {
  "doc_count_error_upper_bound": 0,
  "sum_other_doc_count": 0,
  "buckets": [
    {
      "key": "Type A",
      "doc_count": 2
    },
    {
      "key": "Type B",
      "doc_count": 1
    }
  ]
}

In order to use regular expressions in scripts, you will need to enable that in the elasticsearch.yml configuration file first:

script.painless.regex.enabled: true

3

Hi @abdon,
Sorry for the late reply and thanks for taking some time thinking of this.

You nailed what I'm after, that's awesome. But I've tried to use the following 2 Elastic interfaces and I didn't succeed. Got to be a char that I'm not scaping:

Head:

1

Elasticsearch toolbox:

2
2.JPG996×475 37.4 KB

Can you spot something I'm doing wrong?
On that, What API you use to run these aggregations?

4

I'm not familiar with Head or Elasticsearch toolbox. Maybe you need to escape the slashes? Maybe head does not like the string notation with the three quotes """"?

I typically use Console, the dev tool that's built into Kibana: https://www.elastic.co/guide/en/kibana/current/console-kibana.html

5

Just a comment. From my experience, HEAD does not work for GET with body.
You need to change the verb to POST.

As @abdon said, better to use Kibana DEV console IMO.

6

Hi @abdon , it worked. I only had to change "source" by "inline".
@dadoonet you are also right on the verb thing.

Thanks guys!

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.