Sharing my transform alongwith Pipeline.
- Transform
POST _transform/_preview
{
"source": {
"index": [
"events.test"
]
},
"pivot": {
"group_by": {
"session_id": {
"terms": {
"field": "session_id"
}
},
"device_id": {
"terms": {
"field": "device_id"
}
}
},
"aggregations": {
"session_start": {
"min": {
"field": "server_time"
}
},
"session_end": {
"max": {
"field": "server_time"
}
},
"time_spent": {
"bucket_script": {
"buckets_path": {
"start": "session_start.value",
"stop": "session_end.value"
},
"script": """
return (params.stop - params.start)/1000;
"""
}
}
}
},
"frequency": "15m",
"dest": {
"index": "analysis.test",
"pipeline":"transform_user"
},
"settings": {
"max_page_search_size": 500
}
}
2.Pipeline
PUT _ingest/pipeline/transform_user
{
"processors": [
{
"grok": {
"field": "session_id",
"patterns": [
"(?<param19>...)$"
]
}
},
{
"script": {
"lang": "painless",
"source": """
if (ctx.param19 == 'and')
{
ctx.param19 = 'Android';
}
"""
}
},
{
"grok": {
"field": "param20",
"patterns": [
"(?<param20>%{GREEDYDATA})$"
]
}
},
{
"script": {
"source": """
ctx.user_type = "Free"
if (ctx.param20 == "NearRenewalUser" || ctx.param20 == "NearRenewalUserPP"
|| ctx.param20 == "SubUser" || ctx.param20 == "SubUserPP"
|| ctx.param20 == "RenewedUser" || ctx.param20 == "RenewedUserPP"
|| ctx.param20 == "PremiumSubUserPP" || ctx.param20 == "PremiumSubUser")
{
ctx.user_type = 'Paid';
}
"""
}
}
]
}
Blockquote