Hello,
I have an ELK index created already with the data value ";<status_code>@ip". I need to define an aggregation based on the status code. Can someone please share any hints to split this 'status_code' from the ELK field using runtime-fields.
Thanks
Venkatesh
Hi @rvadiga
I assume your field has all strings that match that pattern ;<status_code>@<ip>.
If that's hold true, then you could write something like this in a runtime_field:
def match = /^;(\d+)@.*$/.matcher(doc['my_field'].value);
if ( match.find() ) {
emit(match.group(1));
}
Thanks Marco. Your suggestions is a great help for my task.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.