I have a log with a message field that I want to parse a "time" field out of.
for example:
message: words::words::words (time=517, words)
is an example of my message field. I want to create a field called time containing the value 517. How can I go about this in Kibana. I read a few tutorials but the resources seem limited
You can use Java string operations to find the index of time= and the first index of , after the time and finally return a substring between those values.
But, I highly recommend against this solutions, string operations are costly to do in scripted fields and they will run for every document in your search. The best time to parse that string is at ingest time, with a Logstash filter.
Sweet, nice. It may end up moving into fluentd or logstash someday, but for now the company I'm at just wants to see the field and if it is useful we can parse it at ingest time.
Thanks.
So could I do something like this.
def msg = doc['message'].value;
def index1 = msg.indexOf("=");
def index2 = msg.indexOf(",");
msg=msg.subString(index1+1,index2);
int num = Integer.parseInt(msg);
return num;
I'm just a bit confused about how to get the message string from the fields.
I am unable to do anything with my message field. Is this because the field in not aggregatable?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.