Replace value from one field in another field using an Elasticsearch Ingest Pipeline

Elastic Stack Elasticsearch
,
1

I need to remove a substring contained in one field from another field. However, I don't seem to be able to use the gsub or grok processors to accomplish this. E.g., I have the following fields:

{
    "foo": "foo",
    "foobar": "foobar"
}

Desired outcome would be to have the final document look like the following:

{
  "fields": {
    "foo": "foo",
    "foobar": "bar"
  }
}

However, the following throws an error:

[
  "gsub": {
    "field": "fields.foobar",
    "pattern": "{{ fields.foo }}",
    "replacement": ""
  }
]

And the following also fails to create the new field fields.baz: bar:

[
  "grok": {
    "field": "fields.foobar",
    "pattern": "^{{ fields.foo }}%{DATA:fields.baz}"
  }
]

I'm not able to preprocess the value of fields.foobar prior to sending it to Elasticsearch, which is why I need to do it this way. It seems that there should be a way to do this, perhaps with painless, but I haven't been able to determine it yet.

2

I ended up using painless. This is the script I used:

if (ctx.fields.foo.startsWith(ctx.fields.foobar)) {
  ctx['fields']['foobar'] = ctx.fields.foobar.substring(ctx.fields.foo.length());
}
3

@DougR NICE!!!

I worked on it a while and didn't have a solution yet...

Thanks for posting your solution TIL!

1 Like
4

There was actually a bug in the original solution I posted, and I can't edit it at this point. The code should've been:

if (ctx.fields.foobar.startsWith(ctx.fields.foo)) {
  ctx['fields']['foobar'] = ctx.fields.foobar.substring(ctx.fields.foo.length());
}
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.