Visualize specific string from field

Hi all. We are trying to visualize the count of users connected to our VPN from the event.original field (Cisco FirePower syslogs collected through filebeat) but are unsure how to strip and only show users instead of the whole message string:

Indexed Data
event.original %FTD-6-722022: Group <RA-VPN-GRP> User <john.doe> IP <192.168.1.1> UDP SVC connection established without compression

Kibana Visual:

Any help will be greatly be appreciated.

Hey @Jose_H!

Unfortunately, that's not something you can do directly inside of Visualize. I think either creating a scripted field or creating a custom plugin to create a custom field formatter is the way to go here.

Hi @myasonik ,

Thanks for clarifying that. I am using the below script but I am unable to strip and show only the username value:

Script:

def path = doc['event.original'];
for (String m: path) {
if (m.contains('User')) {
return m;
}
}
return "";

Scripted Field Output:

Test %FTD-722022: Group User <john.doe> IP <192.168.1.1> UDP SVC connection established without compression.

Any idea how this can be achieved?

Right now you're returning the whole string if the string contains the word User but you want to return only a substring.

You can use regex to pull out just the part you want to display (some of the Painless examples show regex examples).

Also, make sure to turn on regex support! You'll need to enable it in elasticsearch.yml:
script.painless.regex.enabled: true

Regex is the way to go but I was unable to create or find a script close to the solution wanted to return the substring.

I think something like this should work though I haven't tested it:

Matcher match = /User <(.*)> IP/.matcher(doc['event.original');
if (match.matches()) {
  return match.group(1);
} else {
  return 'no user found';
}

Thanks for the script. I tried that however Im getting the this error:

{
 "root_cause": [
  {
   "type": "script_exception",
   "reason": "compile error",
   "script_stack": [
    "... cher(doc['event.original');\r\nif (match.matches())  ...",
    "                             ^---- HERE"
   ],
   "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original');\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
   "lang": "painless"
  }
 ],
 "type": "search_phase_execution_exception",
 "reason": "all shards failed",
 "phase": "query",
 "grouped": true,
 "failed_shards": [
  {
   "shard": 0,
   "index": "filebeat-7.6.2-2020.04.24-000001",
   "node": "I0KYH24DQNyyw57l5GaA0g",
   "reason": {
    "type": "script_exception",
    "reason": "compile error",
    "script_stack": [
     "... cher(doc['event.original');\r\nif (match.matches())  ...",
     "                             ^---- HERE"
    ],
    "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original');\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
    "lang": "painless",
    "caused_by": {
     "type": "illegal_argument_exception",
     "reason": "invalid sequence of tokens near [')'].",
     "caused_by": {
      "type": "no_viable_alt_exception",
      "reason": null
     }
    }
   }
  }
 ]
}

I've tried to add the missing bracket doc['event.original']); but this spits out a new error:

{
 "root_cause": [
  {
   "type": "script_exception",
   "reason": "runtime error",
   "script_stack": [
    "match = /User <(.*)> IP/.matcher(doc['event.original']);\r\n",
    "                                    ^---- HERE"
   ],
   "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original']);\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
   "lang": "painless"
  }
 ],
 "type": "search_phase_execution_exception",
 "reason": "all shards failed",
 "phase": "query",
 "grouped": true,
 "failed_shards": [
  {
   "shard": 0,
   "index": "filebeat-7.6.2-2020.04.24-000001",
   "node": "I0KYH24DQNyyw57l5GaA0g",
   "reason": {
    "type": "script_exception",
    "reason": "runtime error",
    "script_stack": [
     "match = /User <(.*)> IP/.matcher(doc['event.original']);\r\n",
     "                                    ^---- HERE"
    ],
    "script": "Matcher match = /User <(.*)> IP/.matcher(doc['event.original']);\r\nif (match.matches()) {\r\n  return match.group(1);\r\n} else {\r\n  return 'no user found';\r\n}",
    "lang": "painless",
    "caused_by": {
     "type": "class_cast_exception",
     "reason": "class org.elasticsearch.index.fielddata.ScriptDocValues$Strings cannot be cast to class java.lang.CharSequence (org.elasticsearch.index.fielddata.ScriptDocValues$Strings is in unnamed module of loader 'app'; java.lang.CharSequence is in module java.base of loader 'bootstrap')"
    }
   }
  }
 ]
}

Any ideas?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.