Visualize specific string from field

Jose_H · April 21, 2020, 10:24am

Hi all. We are trying to visualize the count of users connected to our VPN from the event.original field (Cisco FirePower syslogs collected through filebeat) but are unsure how to strip and only show users instead of the whole message string:

Indexed Data
event.original %FTD-6-722022: Group <RA-VPN-GRP> User <john.doe> IP <192.168.1.1> UDP SVC connection established without compression

Kibana Visual:

Any help will be greatly be appreciated.

myasonik · April 21, 2020, 5:46pm

Hey @Jose_H!

Unfortunately, that's not something you can do directly inside of Visualize. I think either creating a scripted field or creating a custom plugin to create a custom field formatter is the way to go here.

Jose_H · April 22, 2020, 1:35pm

Hi @myasonik ,

Thanks for clarifying that. I am using the below script but I am unable to strip and show only the username value:

Script:

def path = doc['event.original'];
for (String m: path) {
if (m.contains('User')) {
return m;
}
}
return "";

Scripted Field Output:

Test %FTD-722022: Group User <john.doe> IP <192.168.1.1> UDP SVC connection established without compression.

Any idea how this can be achieved?

myasonik · April 22, 2020, 4:27pm

Right now you're returning the whole string if the string contains the word User but you want to return only a substring.

You can use regex to pull out just the part you want to display (some of the Painless examples show regex examples).

Also, make sure to turn on regex support! You'll need to enable it in elasticsearch.yml:
script.painless.regex.enabled: true

Jose_H · April 23, 2020, 12:13pm

Regex is the way to go but I was unable to create or find a script close to the solution wanted to return the substring.

myasonik · April 23, 2020, 4:23pm

I think something like this should work though I haven't tested it:

Matcher match = /User <(.*)> IP/.matcher(doc['event.original');
if (match.matches()) {
  return match.group(1);
} else {
  return 'no user found';
}

Jose_H · April 27, 2020, 7:48am

Thanks for the script. I tried that however Im getting the this error:

{
 "root_cause": [
  {
   "type": "script_exception",
   "reason": "compile error",
   "script_stack": [
    "... cher(doc['event.original');\r\nif (match.matches())  ...",
    "                             ^---- HERE"
   ],
   "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original');\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
   "lang": "painless"
  }
 ],
 "type": "search_phase_execution_exception",
 "reason": "all shards failed",
 "phase": "query",
 "grouped": true,
 "failed_shards": [
  {
   "shard": 0,
   "index": "filebeat-7.6.2-2020.04.24-000001",
   "node": "I0KYH24DQNyyw57l5GaA0g",
   "reason": {
    "type": "script_exception",
    "reason": "compile error",
    "script_stack": [
     "... cher(doc['event.original');\r\nif (match.matches())  ...",
     "                             ^---- HERE"
    ],
    "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original');\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
    "lang": "painless",
    "caused_by": {
     "type": "illegal_argument_exception",
     "reason": "invalid sequence of tokens near [')'].",
     "caused_by": {
      "type": "no_viable_alt_exception",
      "reason": null
     }
    }
   }
  }
 ]
}

I've tried to add the missing bracket doc['event.original']); but this spits out a new error:

{
 "root_cause": [
  {
   "type": "script_exception",
   "reason": "runtime error",
   "script_stack": [
    "match = /User <(.*)> IP/.matcher(doc['event.original']);\r\n",
    "                                    ^---- HERE"
   ],
   "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original']);\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
   "lang": "painless"
  }
 ],
 "type": "search_phase_execution_exception",
 "reason": "all shards failed",
 "phase": "query",
 "grouped": true,
 "failed_shards": [
  {
   "shard": 0,
   "index": "filebeat-7.6.2-2020.04.24-000001",
   "node": "I0KYH24DQNyyw57l5GaA0g",
   "reason": {
    "type": "script_exception",
    "reason": "runtime error",
    "script_stack": [
     "match = /User <(.*)> IP/.matcher(doc['event.original']);\r\n",
     "                                    ^---- HERE"
    ],
    "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original']);\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
    "lang": "painless",
    "caused_by": {
     "type": "class_cast_exception",
     "reason": "class org.elasticsearch.index.fielddata.ScriptDocValues$Strings cannot be cast to class java.lang.CharSequence (org.elasticsearch.index.fielddata.ScriptDocValues$Strings is in unnamed module of loader 'app'; java.lang.CharSequence is in module java.base of loader 'bootstrap')"
    }
   }
  }
 ]
}

Any ideas?

system · May 25, 2020, 7:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use the script field for string Kibana	9	5985	April 20, 2020
Returning part of a field with a regexp Elasticsearch	2	346	July 6, 2017
Kibana string manipulation Kibana	2	631	February 22, 2021
Parse a Json Field in a visualization Kibana	5	5938	February 23, 2018
Kibana 5 \| apply regex on scripted fields Kibana	7	8434	January 10, 2017

Visualize specific string from field

Related topics