At https://www.elastic.co/guide/en/elasticsearch/reference/master/runtime-examples.html#runtime-examples-grok we are documenting how to use runtime fields in the mapping. Can we please also elaborate that this can be used in a search query. E.g.:
GET my-index/_search
{
"runtime_mappings": {
"clientip": {
"type": "keyword",
"script": {
"source": """
String clientip=grok('%{COMMONAPACHELOG}').extract(doc["message"]).value)?.clientip;
if (clientip != null) emit(clientip);
"""
}
}
}
}
In addition would it be worth to document that accessing tokenized values (neither keyword nor wildcard but text with fielddata) via .extract(params["_source"]["message"]) (instead of .extract(doc["message"])).
Finally, Grok seems to be more picky on the runtime fields compared to the Kibana Grok debugger - especially on the whitespaces. E.g.
Raw: "clientip = 127.0.0.1"
Kibana Grok debugger: clientip = %{COMMONAPACHELOG} - will match
Runtime Grok: grok("clientip = %{COMMONAPACHELOG}") - will not match and requires grok("clientip\\s=\\s%{COMMONAPACHELOG}") instead.
Ref. https://github.com/elastic/sdh-elasticsearch/issues/4361
At https://www.elastic.co/guide/en/elasticsearch/reference/master/runtime-examples.html#runtime-examples-grok we are documenting how to use runtime fields in the mapping. Can we please also elaborate that this can be used in a search query. E.g.:
In addition would it be worth to document that accessing tokenized values (neither
keywordnorwildcardbut text with fielddata) via.extract(params["_source"]["message"])(instead of.extract(doc["message"])).Finally, Grok seems to be more picky on the runtime fields compared to the Kibana Grok debugger - especially on the whitespaces. E.g.
Raw:
"clientip = 127.0.0.1"Kibana Grok debugger:
clientip = %{COMMONAPACHELOG}- will matchRuntime Grok:
grok("clientip = %{COMMONAPACHELOG}")- will not match and requiresgrok("clientip\\s=\\s%{COMMONAPACHELOG}")instead.Ref. https://github.com/elastic/sdh-elasticsearch/issues/4361