Unable to run inline script from Kibana UI

bikrant · June 30, 2015, 11:52pm

I'm trying to extract ip:port text from an inline script query, this works when I query ES directly:

{
  "script_fields": {
    "sub_message": {
      "script": "def result = (doc['message'] =~ /.*(127\\.0\\.0\\.1:\\d+).*/); if (result) return result[0][1]; else return 'NA';"
    }
  }
}

I get result like:

  {
    "_index": "testnoanalyzer",
    "_type": "test-type",
    "_id": "8AaHnX0aSeCHR461q9O27Q",
    "_score": 1,
    "fields": {
      "sub_message": [
        "NA"
      ]
    }
  },
  {
    "_index": "testnoanalyzer",
    "_type": "test-type",
    "_id": "4iJ6OC3gTLWDm8d3F6DqZw",
    "_score": 1,
    "fields": {
      "sub_message": [
        "127.0.0.1:7634"
      ]
    }
  }

This great, but I'm having two issues:

How do I get response as a string output instead of an array of string ?
The same scripted query doesn't work in Kibana. I added a "Scripted field" from Kibana UI but I get exception like this:

[2015-06-30 16:48:22,735][DEBUG][action.search.type ] [bneupane.local] All shards failed for phase: [query]
org.elasticsearch.search.SearchParseException: [testnoanalyzer][2]: query[ConstantScore(BooleanFilter(+cache(@timestamp:[1435707202623 TO 1435708102623])))],from[-1],size[0]: Parse Failure [Failed to pars
e source [{"size":0,"query":{"filtered":{"query":{"query_string":{"analyze_wildcard":true,"query":""}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"gte":1435707202623,"lte":1435708102623}}}],"must_
not":[]}}}},"aggs":{"2":{"date_histogram":{"field":"@timestamp","interval":"30s","pre_zone":"-07:00","pre_zone_adjust_large_interval":true,"min_doc_count":1,"extended_bounds":{"min":1435707202619,"max":14
35708102619}},"aggs":{"1":{"cardinality":{"script":"def result = (doc['message'] =~ /.(127\.0\.0\.1:\d+)./); if (result) return result[0][1]; else return 'NA';","lang":"expression"}}}}}}]]
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:735)
at org.elasticsearch.search.SearchService.createContext(SearchService.java:560)
at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:532)
at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:294)
at org.elasticsearch.search.action.SearchServiceTransportAction$5.call(SearchServiceTransportAction.java:231)
at org.elasticsearch.search.action.SearchServiceTransportAction$5.call(SearchServiceTransportAction.java:228)
at org.elasticsearch.search.action.SearchServiceTransportAction$23.run(SearchServiceTransportAction.java:559)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.elasticsearch.script.expression.ExpressionScriptCompilationException: Failed to parse expression: def result = (doc['message'] =~ /.(127.0.0.1:\d+).*/); if (result) return result[0][1]; else return 'NA';
at org.elasticsearch.script.expression.ExpressionScriptEngineService.compile(ExpressionScriptEngineService.java:79)
at org.elasticsearch.script.ScriptService.compileInternal(ScriptService.java:323)
at org.elasticsearch.script.ScriptService.compile(ScriptService.java:287)
at org.elasticsearch.script.ScriptService.search(ScriptService.java:483)
at org.elasticsearch.search.aggregations.support.ValuesSourceParser.createScript(ValuesSourceParser.java:188)
at org.elasticsearch.search.aggregations.support.ValuesSourceParser.config(ValuesSourceParser.java:148)
at org.elasticsearch.search.aggregations.metrics.cardinality.CardinalityParser.parse(CardinalityParser.java:72)
at org.elasticsearch.search.aggregations.AggregatorParsers.parseAggregators(AggregatorParsers.java:148)
at org.elasticsearch.search.aggregations.AggregatorParsers.parseAggregators(AggregatorParsers.java:138)
at org.elasticsearch.search.aggregations.AggregatorParsers.parseAggregators(AggregatorParsers.java:78)
at org.elasticsearch.search.aggregations.AggregationParseElement.parse(AggregationParseElement.java:60)
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:719)
... 9 more
Caused by: java.text.ParseException: invalid sequence of tokens near 'result' at position (4).
at org.apache.lucene.expressions.js.JavascriptParser.displayRecognitionError(JavascriptParser.java:134)
at org.antlr.runtime.BaseRecognizer.reportError(BaseRecognizer.java:186)
at org.apache.lucene.expressions.js.JavascriptParser.postfix(JavascriptParser.java:1622)
at org.apache.lucene.expressions.js.JavascriptParser.unary(JavascriptParser.java:1311)
at org.apache.lucene.expressions.js.JavascriptParser.multiplicative(JavascriptParser.java:1186)
at org.apache.lucene.expressions.js.JavascriptParser.additive(JavascriptParser.java:1093)
at org.apache.lucene.expressions.js.JavascriptParser.shift(JavascriptParser.java:1000)

tbragin · July 13, 2015, 7:01pm

The default scripting language in Kibana is Lucene Expressions, not Groovy, for security reasons. If you do decide to use Groovy, we recommend using static scripts... more on getting that working in this thread: Calling groovy script from Kibana

Topic		Replies	Views
Proper syntax of script fields Elasticsearch	4	519	February 13, 2017
Error with scriptfield in visualization Kibana	4	968	April 6, 2020
Scripted field from sql api not working Elasticsearch	7	1357	December 14, 2020
Cannot execute scripts using [field] context Kibana	6	857	October 16, 2019
Scripted fields sort Kibana	2	864	August 28, 2020

Unable to run inline script from Kibana UI

Related topics