Message :
DIR* completeFile: /user/spark/applicationHistory/.07aeece0-2474-4a9e-a4f3-a6f511d47000 is closed by DFSClient_NONMAPREDUCE_1865763448_1
so , i want to fetch DFSClient_NONMAPREDUCE_1865763448_1 (this is sub string in message)
when i applied filter operation in kibana , i am getting whole message . but instead of that can i fetch only DFSClient_NONMAPREDUCE_1865763448_1 (sub string )
will it possible ?
The best solution is to do this kind of thing during ingest. This means you analyze your message field before you push it into Elasticsearch and create a separate field that just contains the substring you want. You can do that for example with Logstash (by providing a pattern of the message).
If you absolutely want to do it in Kibana after data ingest, you can create a scripted field that does the same thing, but on demand when you are querying data. You can do everything with scripted fields just as with regular fields, e.g. using it in a filter operation. Be aware that this solution doesn't scale well to terabytes of data.
Thanks@flash1293 .
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.