Search on pipelines user-agent fields

the_fire_fades · April 23, 2020, 4:38pm

Hello everybody,

I use the https://www.elastic.co/guide/en/elasticsearch/reference/current/user-agent-processor.html tutorial to extract the user-agent from a header that I put in my documents.

This works fine, I have exactly what I want when I see my document with for example that:
GET customer/_doc/9463
I got:

    {
    	"customer_name": "doe",
    	"user_agent": {
    		"original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1",
    		"os": {
    			"name": "iOS",
    			"version": "13.1.2",
    			"full": "iOS 13.1.2"
    		},
    		"name": "Mobile Safari",
    		"device": {
    			"name": "iPhone"
    		},
    		"version": "13.0.1"
    	},
    	"city": paris
    }

But when I try to do an aggregation on user_agent or just query match nothing happens... It's like my field is only for view purpose but not to search on it. I think that extra fieds that have been generated by pipeline are accessible by another way that the tradiotional:

{
"query": {"match":{"my_field":"my_value"}}
}

But how. I'm relatively so any advice gonna be a great help. Thanks

dadoonet · April 24, 2020, 2:47am

Welcome!

Check the mapping for this field. It must be using a keyword datatype.
If you are using the default mapping, there's probably a subfield keyword like user_agent.name.keyword which you can use for aggs.

the_fire_fades · April 24, 2020, 10:43am

Thanks for the response,

Acutally it's really weird because if I type:

GET customer/_mapping/field/user_agent

I got

{
  "seed": {
    "mappings": {}
  }
}

But what is really weird that I see my value when I do
GET seed/_doc/28
I got

(...)
"user_agent": {
"original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36",
"os": {
"name": "Windows 10"
},
"name": "Chrome",
"device": {
"name": "Other"
},
"version": "78.0.3904"
},
(...)
}
It's like my document has the user_agent field but not user_agent is not mapped.
What I uderstand of pipleine is that a pipeline "transform" a document and add some extra fields, before the indexation. The pipeline add the extra fields with the mapping so why I can find my user_agent field with GET seed/_doc/28 but not in mapping ?

To be more specific about this issue, the indaxation is made in php by the bundle elastica. Maybe the problem is due to that

the_fire_fades · April 24, 2020, 10:52am

I find why !

In my mapping I had
{
"seed": {
"mappings": {
"dynamic": "false",
"properties": {

So my mapping was never made for user_agent field. I remove the dynamic configuration and now by default may mapping is made so I (finally) found my mapping for user_agent.

Thanks again for the response.

system · May 22, 2020, 10:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Indexing User-Agent data Elasticsearch	8	527	June 27, 2020
Field value not found in aggregatable field Elasticsearch	3	276	February 11, 2023
Install ingest-user-agent on ELK Logstash	3	547	November 26, 2018
Visitor user agent information Elasticsearch	6	347	November 11, 2020
Elastic pipeline processors grok for question! Elasticsearch ingest-pipeline	1	289	June 16, 2023

Search on pipelines user-agent fields

Related topics