kibana 5.4 + es 5.4
I want to terms the suffix of the url.keyword,such as docs or doc or zip...etc.
url.keyword field content like 'abcde.html','abcde11.zip','abcde**222.doc'...
How to do that.
Thanks for your help.
Best way to do this is to create url.keyword.extension at ingest, but if that is not possible, you could create a scripted field to parse the string and create a new scripted field that only has the data from last . to the end of the string.
You can find good examples here: https://www.elastic.co/blog/using-painless-kibana-scripted-fields
Thanks for your advice.Scripted field is good idea.
If don't want to add field,just do query in es.Can I do that such as using distinct(substr) by SQL.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.