I am trying to create to some scripted fields using painless by capturing some "keyword" in the log field, which is a long text field. for example, I have bunch of the log fields:
"Error: Duplicate entry in user1"
"Error: Duplicate entry in user2"
"Error: Duplicate entry in user1"
"Error: Duplicate entry in user3"
"Error: Duplicate entry in user2"
"Error: Duplicate entry in user1"
"Error: Duplicate entry in user3"
The painless I was using:
if (doc['log.keyword'].value == 'Duplicate entry') {
return "match";
}
return "No match";
to only capture the "Duplicate entry" error message regardless of userID, I am sure I need to use regex to do that. I am just wondering if there is another way to do it without using the regex. Any suggestions.
there are lots of ways. you can try this:
GET logs/_search
{
"query": {
"script": {
"script":
"""
if (doc["log.keyword"].value == null) return false;
return doc["log.keyword"].value.contains("Duplicate entry");
"""
}
}
}
in kibana 5 triple quotes might not work. i don't remember exactly. just replace with single quotes