Hi folks. I am trying to make a visualisation for MetricBeat process data, and as we run a few things that have identical process names (several instances of SQL server, and many instances of our own in-house app), just displaying data split by system.process.name is not useful - 100% is used by "sqlserver.exe".
I can however use system.process.cmdline, as that has in it an argument that makes the values useful, as then I get separate chart elements for each SQL instance, or copy of our app that is running.
The problem with this is that the command lines are longer than the space available:
It would be really useful if I could somehow show those with the text shortened the other way, so they become
- "...\procname.exe -PARAM1"
- "...\procname.exe -PARAM2"
- "...\procname.exe -PARAM3"
- "...\procname.exe -PARAM4"
- "...\procname.exe -PARAM5"
Can I use a "painless" scripted field for this? From the wording of the docs I can't work out if I'm am restricted to certain field types always, or only if using the old "Lucene expressions you all know and love".
This for example gives me exceptions:
doc['system']['process']['cmdline'].value.substring(5)
also
doc['system.process.cmdline'].value.substring(5)