doc1:
message: Reconciliation for plan 141 - Line 3 is completed
This is my case in a index
doc2:
message: Reconciliation for plan 141 - Line 3 is started
doc3:
message: Reconciliation for plan 141 - Line 3 is Failed
Each document will be having a "message" field with messages as described above.
In this case, I need to use scripted field in kibana to distinguish between which line is started and which lines are failed and which line is competed so that I can visualize and identify.
SO I need to write a query in scripted field in order to visualize. How to aggregate and how can i visualize it?
It would be much more efficient to do extraction of this status into its own field, either before indexing within your client application, or as an Ingest pipeline. Using script fields for matching at index time requires looking at every document, and regexes make the situation even worse.
If I understand your original post correctly, you want to use a filter script to scan values of a "message" field, running a regex on each value. This would first be slow because it requires looking at every document (a linear scan of your entire dataset), but would also require access to _source inside a filter script, which is not allowed for this exact reason (it always degrades to a linear scan).
My suggestion is to extract the "status" into a separate field, before you send the document to elasticsearch to be indexed. The alternative suggestion is to use an ingest node script to extract the value. But I would only do this if you have no control over your input data. I can't really give an example for that since it is your own code/language.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.