Unable to run inline script from Kibana UI

bikrant · June 30, 2015, 11:52pm

I'm trying to extract ip:port text from an inline script query, this works when I query ES directly:

{
  "script_fields": {
    "sub_message": {
      "script": "def result = (doc['message'] =~ /.*(127\\.0\\.0\\.1:\\d+).*/); if (result) return result[0][1]; else return 'NA';"
    }
  }
}

I get result like:

  {
    "_index": "testnoanalyzer",
    "_type": "test-type",
    "_id": "8AaHnX0aSeCHR461q9O27Q",
    "_score": 1,
    "fields": {
      "sub_message": [
        "NA"
      ]
    }
  },
  {
    "_index": "testnoanalyzer",
    "_type": "test-type",
    "_id": "4iJ6OC3gTLWDm8d3F6DqZw",
    "_score": 1,
    "fields": {
      "sub_message": [
        "127.0.0.1:7634"
      ]
    }
  }

This great, but I'm having two issues:

How do I get response as a string output instead of an array of string ?
The same scripted query doesn't work in Kibana. I added a "Scripted field" from Kibana UI but I get exception like this:

[2015-06-30 16:48:22,735][DEBUG][action.search.type ] [bneupane.local] All shards failed for phase: [query]
org.elasticsearch.search.SearchParseException: [testnoanalyzer][2]: query[ConstantScore(BooleanFilter(+cache(@timestamp:[1435707202623 TO 1435708102623])))],from[-1],size[0]: Parse Failure [Failed to pars
e source [{"size":0,"query":{"filtered":{"query":{"query_string":{"analyze_wildcard":true,"query":""}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"gte":1435707202623,"lte":1435708102623}}}],"must_
not":[]}}}},"aggs":{"2":{"date_histogram":{"field":"@timestamp","interval":"30s","pre_zone":"-07:00","pre_zone_adjust_large_interval":true,"min_doc_count":1,"extended_bounds":{"min":1435707202619,"max":14
35708102619}},"aggs":{"1":{"cardinality":{"script":"def result = (doc['message'] =~ /.(127\.0\.0\.1:\d+)./); if (result) return result[0][1]; else return 'NA';","lang":"expression"}}}}}}]]
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:735)
at org.elasticsearch.search.SearchService.createContext(SearchService.java:560)
at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:532)
at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:294)
at org.elasticsearch.search.action.SearchServiceTransportAction$5.call(SearchServiceTransportAction.java:231)
at org.elasticsearch.search.action.SearchServiceTransportAction$5.call(SearchServiceTransportAction.java:228)
at org.elasticsearch.search.action.SearchServiceTransportAction$23.run(SearchServiceTransportAction.java:559)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.elasticsearch.script.expression.ExpressionScriptCompilationException: Failed to parse expression: def result = (doc['message'] =~ /.(127.0.0.1:\d+).*/); if (result) return result[0][1]; else return 'NA';
at org.elasticsearch.script.expression.ExpressionScriptEngineService.compile(ExpressionScriptEngineService.java:79)
at org.elasticsearch.script.ScriptService.compileInternal(ScriptService.java:323)
at org.elasticsearch.script.ScriptService.compile(ScriptService.java:287)
at org.elasticsearch.script.ScriptService.search(ScriptService.java:483)
at org.elasticsearch.search.aggregations.support.ValuesSourceParser.createScript(ValuesSourceParser.java:188)
at org.elasticsearch.search.aggregations.support.ValuesSourceParser.config(ValuesSourceParser.java:148)
at org.elasticsearch.search.aggregations.metrics.cardinality.CardinalityParser.parse(CardinalityParser.java:72)
at org.elasticsearch.search.aggregations.AggregatorParsers.parseAggregators(AggregatorParsers.java:148)
at org.elasticsearch.search.aggregations.AggregatorParsers.parseAggregators(AggregatorParsers.java:138)
at org.elasticsearch.search.aggregations.AggregatorParsers.parseAggregators(AggregatorParsers.java:78)
at org.elasticsearch.search.aggregations.AggregationParseElement.parse(AggregationParseElement.java:60)
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:719)
... 9 more
Caused by: java.text.ParseException: invalid sequence of tokens near 'result' at position (4).
at org.apache.lucene.expressions.js.JavascriptParser.displayRecognitionError(JavascriptParser.java:134)
at org.antlr.runtime.BaseRecognizer.reportError(BaseRecognizer.java:186)
at org.apache.lucene.expressions.js.JavascriptParser.postfix(JavascriptParser.java:1622)
at org.apache.lucene.expressions.js.JavascriptParser.unary(JavascriptParser.java:1311)
at org.apache.lucene.expressions.js.JavascriptParser.multiplicative(JavascriptParser.java:1186)
at org.apache.lucene.expressions.js.JavascriptParser.additive(JavascriptParser.java:1093)
at org.apache.lucene.expressions.js.JavascriptParser.shift(JavascriptParser.java:1000)

tbragin · July 13, 2015, 7:01pm

The default scripting language in Kibana is Lucene Expressions, not Groovy, for security reasons. If you do decide to use Groovy, we recommend using static scripts... more on getting that working in this thread: Calling groovy script from Kibana