Visualize specific string from field

Jose_H · April 21, 2020, 10:24am

Hi all. We are trying to visualize the count of users connected to our VPN from the event.original field (Cisco FirePower syslogs collected through filebeat) but are unsure how to strip and only show users instead of the whole message string:

Indexed Data
event.original %FTD-6-722022: Group <RA-VPN-GRP> User <john.doe> IP <192.168.1.1> UDP SVC connection established without compression

Kibana Visual:

Any help will be greatly be appreciated.

myasonik · April 21, 2020, 5:46pm

Hey @Jose_H!

Unfortunately, that's not something you can do directly inside of Visualize. I think either creating a scripted field or creating a custom plugin to create a custom field formatter is the way to go here.

Jose_H · April 22, 2020, 1:35pm

Hi @myasonik ,

Thanks for clarifying that. I am using the below script but I am unable to strip and show only the username value:

Script:

def path = doc['event.original'];
for (String m: path) {
if (m.contains('User')) {
return m;
}
}
return "";

Scripted Field Output:

Test %FTD-722022: Group User <john.doe> IP <192.168.1.1> UDP SVC connection established without compression.

Any idea how this can be achieved?

myasonik · April 22, 2020, 4:27pm

Right now you're returning the whole string if the string contains the word User but you want to return only a substring.

You can use regex to pull out just the part you want to display (some of the Painless examples show regex examples).

Also, make sure to turn on regex support! You'll need to enable it in elasticsearch.yml:
script.painless.regex.enabled: true

Jose_H · April 23, 2020, 12:13pm

Regex is the way to go but I was unable to create or find a script close to the solution wanted to return the substring.

myasonik · April 23, 2020, 4:23pm

I think something like this should work though I haven't tested it:

Matcher match = /User <(.*)> IP/.matcher(doc['event.original');
if (match.matches()) {
  return match.group(1);
} else {
  return 'no user found';
}

Jose_H · April 27, 2020, 7:48am

Thanks for the script. I tried that however Im getting the this error:

{
 "root_cause": [
  {
   "type": "script_exception",
   "reason": "compile error",
   "script_stack": [
    "... cher(doc['event.original');\r\nif (match.matches())  ...",
    "                             ^---- HERE"
   ],
   "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original');\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
   "lang": "painless"
  }
 ],
 "type": "search_phase_execution_exception",
 "reason": "all shards failed",
 "phase": "query",
 "grouped": true,
 "failed_shards": [
  {
   "shard": 0,
   "index": "filebeat-7.6.2-2020.04.24-000001",
   "node": "I0KYH24DQNyyw57l5GaA0g",
   "reason": {
    "type": "script_exception",
    "reason": "compile error",
    "script_stack": [
     "... cher(doc['event.original');\r\nif (match.matches())  ...",
     "                             ^---- HERE"
    ],
    "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original');\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
    "lang": "painless",
    "caused_by": {
     "type": "illegal_argument_exception",
     "reason": "invalid sequence of tokens near [')'].",
     "caused_by": {
      "type": "no_viable_alt_exception",
      "reason": null
     }
    }
   }
  }
 ]
}

I've tried to add the missing bracket doc['event.original']); but this spits out a new error:

{
 "root_cause": [
  {
   "type": "script_exception",
   "reason": "runtime error",
   "script_stack": [
    "match = /User <(.*)> IP/.matcher(doc['event.original']);\r\n",
    "                                    ^---- HERE"
   ],
   "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original']);\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
   "lang": "painless"
  }
 ],
 "type": "search_phase_execution_exception",
 "reason": "all shards failed",
 "phase": "query",
 "grouped": true,
 "failed_shards": [
  {
   "shard": 0,
   "index": "filebeat-7.6.2-2020.04.24-000001",
   "node": "I0KYH24DQNyyw57l5GaA0g",
   "reason": {
    "type": "script_exception",
    "reason": "runtime error",
    "script_stack": [
     "match = /User <(.*)> IP/.matcher(doc['event.original']);\r\n",
     "                                    ^---- HERE"
    ],
    "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original']);\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
    "lang": "painless",
    "caused_by": {
     "type": "class_cast_exception",
     "reason": "class org.elasticsearch.index.fielddata.ScriptDocValues$Strings cannot be cast to class java.lang.CharSequence (org.elasticsearch.index.fielddata.ScriptDocValues$Strings is in unnamed module of loader 'app'; java.lang.CharSequence is in module java.base of loader 'bootstrap')"
    }
   }
  }
 ]
}

Any ideas?

system · May 25, 2020, 7:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Regex on filtered data on Kibana Kibana	8	344	February 8, 2023
Parse a Json Field in a visualization Kibana	5	5825	February 23, 2018
Aggregate/visualize based on substring or regex query Kibana	2	5137	February 17, 2020
Visualisation Painless script between two characters Kibana	8	771	May 25, 2021
How to use the script field for string Kibana	9	5873	April 20, 2020

Visualize specific string from field

Related topics