Scripted field pulling from a json array

sam.williams · May 2, 2019, 9:31am

Hey All,

I'm having trouble getting some json data from a field using painless. I have an index with firewall data, one of the fields is headers. I want to pull from the header the requested host, but as you can see from the data it's not keyed as i'd expect. So i need to say where Name = Host get the Value.

So it returns my.website.com, the json is stored in httpRequest.headers and here is a sample;

{
  "name": "Host",
  "value": "my.website.com"
},
{
  "name": "Content-Length",
  "value": "0"
},
{
  "name": "pragma",
  "value": "no-cache"
},
{
  "name": "cache-control",
  "value": "no-cache"
},
{
  "name": "user-agent",
  "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
},
{
  "name": "accept",
  "value": "text/css,*/*;q=0.1"
}

Now i can pull the all the values or names like this; doc['httpRequest.headers.name.keyword'].value but that returns, mywebsite.com, pragam, 0 etc. etc..

How do I pull just the host value?

tylersmalley · May 2, 2019, 8:41pm

I would really advise against this. Since this data would not be indexed ES would have to do this iteration over every document to return the Host. My advice would be to do this at index time. This can be done when you're indexing the data, with a Pipeline, or with Logstash.

system · May 30, 2019, 8:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract value from a field using painless script Kibana painless	6	886	July 6, 2023
Access a field in array using Painless scripted field Kibana painless	3	549	November 5, 2020
Fields with a "dot" in them do not persist Kibana painless	4	910	June 29, 2020
Access Kibana config value from scripted field? Kibana	5	1364	April 5, 2018
Parse a Json Field in a visualization Kibana	5	5825	February 23, 2018

Scripted field pulling from a json array

Related topics