从字段数组中提取文本

时间:2017-07-17 05:11:34

标签: elasticsearch kibana elasticsearch-painless

其中一个名为" resources"有以下2个内部文件。

  {
  "type": "AWS::S3::Object",
  "ARN": "arn:aws:s3:::sms_vild/servers_backup/db_1246/db/reports_201706.schema"
},
{
  "accountId": "934331768510612",
  "type": "AWS::S3::Bucket",
  "ARN": "arn:aws:s3:::sms_vild"
}

我需要拆分ARN字段并获取它的最后一部分。即" reports_201706.schema "最好使用脚本字段。

我尝试过:

1)我检查了fileds列表,发现只有2个条目resources.accountId和resources.type

2)我尝试使用日期时间字段,它在脚本字段选项(表达式)中正常工作。

doc['eventTime'].value

3)但是对于例如其他文本字段也是如此。

doc['eventType'].value

出现此错误:

"caused_by":{"type":"script_exception","reason":"link error","script_stack":["doc['eventType'].value","^---- HERE"],"script":"doc['eventType'].value","lang":"expression","caused_by":{"type":"illegal_argument_exception","reason":"Fielddata is disabled on text fields by default. Set fielddata=true on [eventType] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory."}}},"status":500}

这意味着我需要更改映射。有没有其他方法从对象中的嵌套数组中提取文本?

更新

请在这里访问样本kibana ...

https://search-accountact-phhofxr23bjev4uscghwda4y7m.us-east-1.es.amazonaws.com/_plugin/kibana/

搜索" ebs_attach.png"然后检查资源字段。你会看到2个这样的嵌套数组......

 {
  "type": "AWS::S3::Object",
  "ARN": "arn:aws:s3:::datameetgeo/ebs_attach.png"
},
{
  "accountId": "513469704633",
  "type": "AWS::S3::Bucket",
  "ARN": "arn:aws:s3:::datameetgeo"
}

我需要拆分ARN字段并提取最后一部分" ebs_attach.png"

如果我可以将其显示为脚本字段,那么我可以在发现选项卡上并排查看存储桶名称和文件名。

更新2

换句话说,我试图将此图像中显示的文本提取为发现选项卡上的新字段。

enter image description here

2 个答案:

答案 0 :(得分:2)

虽然您可以使用脚本编写,但我强烈建议您在索引时提取这些信息。我在这里提供了两个例子,它们远非故障保护(你需要使用不同的路径进行测试或者根本没有这个字段),但它应该提供一个基础来开始

PUT foo/bar/1
{
  "resources": [
    {
      "type": "AWS::S3::Object",
      "ARN": "arn:aws:s3:::sms_vild/servers_backup/db_1246/db/reports_201706.schema"
    },
    {
      "accountId": "934331768510612",
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::sms_vild"
    }
  ]
}

# this is slow!!!
GET foo/_search
{
  "script_fields": {
    "document": {
      "script": {
        "inline": "return params._source.resources.stream().filter(r -> 'AWS::S3::Object'.equals(r.type)).map(r -> r.ARN.substring(r.ARN.lastIndexOf('/') + 1)).findFirst().orElse('NONE')"
      }
    }
  }
}

# Do this on index time, by adding a pipeline
PUT _ingest/pipeline/my-pipeline-id
{
  "description" : "describe pipeline",
  "processors" : [
    {
      "script" : {
        "inline": "ctx.filename = ctx.resources.stream().filter(r -> 'AWS::S3::Object'.equals(r.type)).map(r -> r.ARN.substring(r.ARN.lastIndexOf('/') + 1)).findFirst().orElse('NONE')"
      }
    }
  ]
}

# Store the document, specify the pipeline
PUT foo/bar/1?pipeline=my-pipeline-id
{
  "resources": [
    {
      "type": "AWS::S3::Object",
      "ARN": "arn:aws:s3:::sms_vild/servers_backup/db_1246/db/reports_201706.schema"
    },
    {
      "accountId": "934331768510612",
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::sms_vild"
    }
  ]
}

# lets check the filename field of the indexed document by getting it
GET foo/bar/1

# We can even search for this file now
GET foo/_search
{
  "query": {
    "match": {
      "filename": "reports_201706.schema"
    }
  }
}

答案 1 :(得分:0)

注意:被认为是“资源”是一种数组

NSArray *array_ARN_Values = [resources valueForKey:@"ARN"];

希望它对你有用!!!