Scripted field pulling from a json array

sam.williams · May 2, 2019, 9:31am

Hey All,

I'm having trouble getting some json data from a field using painless. I have an index with firewall data, one of the fields is headers. I want to pull from the header the requested host, but as you can see from the data it's not keyed as i'd expect. So i need to say where Name = Host get the Value.

So it returns my.website.com, the json is stored in httpRequest.headers and here is a sample;

{
  "name": "Host",
  "value": "my.website.com"
},
{
  "name": "Content-Length",
  "value": "0"
},
{
  "name": "pragma",
  "value": "no-cache"
},
{
  "name": "cache-control",
  "value": "no-cache"
},
{
  "name": "user-agent",
  "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
},
{
  "name": "accept",
  "value": "text/css,*/*;q=0.1"
}

Now i can pull the all the values or names like this; doc['httpRequest.headers.name.keyword'].value but that returns, mywebsite.com, pragam, 0 etc. etc..

How do I pull just the host value?

tylersmalley · May 2, 2019, 8:41pm

I would really advise against this. Since this data would not be indexed ES would have to do this iteration over every document to return the Host. My advice would be to do this at index time. This can be done when you're indexing the data, with a Pipeline, or with Logstash.

system · May 30, 2019, 8:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.