Description
Similar to the user agent processor for ingest pipelines, there should be an ESQL command performing the same action.
Since parsing a user agent produces multiple outputs, multiple columns need to be added to the resulting table:
ROW my_user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" | USER_AGENT my_user_agent as my_parsed_user_agent
Would return
{
"columns": [
{
"name": "my_user_agent",
"type": "keyword"
},
{
"name": "my_parsed_user_agent.name",
"type": "keyword"
},
{
"name": "my_parsed_user_agent.version",
"type": "keyword"
},
{
"name": "my_parsed_user_agent.os.name",
"type": "keyword"
},
{
"name": "my_parsed_user_agent.os.version",
"type": "keyword"
},
{
"name": "my_parsed_user_agent.os.full",
"type": "keyword"
},
{
"name": "my_parsed_user_agent.device.name",
"type": "keyword"
}
],
"values": [
[
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
"Chrome",
"51.0.2704.103",
"Mac OS X",
"10.10.5",
"Mac OS X 10.10.5",
"Mac"
]
]
}
Here, the prefix my_parsed_user_agent is used as a prefix for the columns created by the command. If not provided, the prefix user_agent is used by default.
The argument provided to the user_agent command needs to evaluate to a string column.
Multi-values should not be supported - in case the argument provided to user_agent evaluates to a multi-value, the row is skipped and a warning is emitted (single-value command encountered multi-value). This is done because parsing multiple user agent in a single row wouldn't result in a usable output shape.
If the input can't be parsed, all user_agent.* columns are set to null.
In contrast to the ingest processor, the following things are not supported:
- Limiting which properties are added (in case the user doesn't need all of them, they need to be dropped afterwards)
- Specifying a custom regex file - the default regex file from
uap-core is always used. This regex file is guaranteed to be available
- Extracting the device type on a best-effort basis
Description
Similar to the user agent processor for ingest pipelines, there should be an ESQL command performing the same action.
Since parsing a user agent produces multiple outputs, multiple columns need to be added to the resulting table:
Would return
Here, the prefix
my_parsed_user_agentis used as a prefix for the columns created by the command. If not provided, the prefixuser_agentis used by default.The argument provided to the
user_agentcommand needs to evaluate to a string column.Multi-values should not be supported - in case the argument provided to
user_agentevaluates to a multi-value, the row is skipped and a warning is emitted (single-value command encountered multi-value). This is done because parsing multiple user agent in a single row wouldn't result in a usable output shape.If the input can't be parsed, all
user_agent.*columns are set to null.In contrast to the ingest processor, the following things are not supported:
uap-coreis always used. This regex file is guaranteed to be available