Hello Everyone!
I want to do some basic stuff that I can do super easy with Splunk of extracting new fields from logs that are already indexed, and with the Painless Script in Kibana seems to be very difficult and almost impossible to do it.
This is an example of my log in the field message
15Jan20 06:30:24.39 PRIFBLOQ MXP1 RACF ALTUSER success for PRIFBLOQ: ALTUSER X302034
Jobname + id: RFJPDABC
RACF command: ALTUSER X302034 DATA(02651484000000000000000)
Name : BLOQUEO Y BAJAS RACF Instdata : U PROC. BAJAS Y BLOQUEOS AUTOM. DE RACF
Y want to extract some data of that message field with regular expressions:
This is my Painless Script:
def m = /RACF\scommand:\s\w+\s\w+\s(?P<activity>.+)\sName/.matcher(doc['message.keyword'].value);
if ( m.matches() ) {
return m.group(1)
} else {
return "no match"
}
When I try to save the new field it says the script is invalid, I was wondering if the Painless Script can't work with the message field.
Could you help me to figure out was going wrong?
Best regards