This is only one runtime field from our repository. Also visit the complete Elastic runtime field repository to get the full overview of whats possible.


In this section we show runtime field examples that has been submitted by other users. Getting input from the Elastic Community is a great help. It enables Elasticsearch users all around the world to solve their needs more quickly. Thanks for all contributions that have been made.

Elastic Runtime field examples from Leaf

index_stats.index_date

This useful to extract all indices or data stream and find out the date of the index. This is useful for aggregating data usage.

if (doc['index_stats.index'].size() != 0) {
	def index_name = doc['index_stats.index'].value;
	if (index_name !=null) {
		if (index_name =~ /[12][0-9]{3}./) { // match year pattern like 1903, 2021
			Map my=grok('(%{GREEDYDATA:pattern}-%{INT:year}\\.%{INT:month}\\.%{INT:day})|(%{GREEDYDATA:pattern}-%{INT:year}\\.%{INT:month}\\.%{INT:day}-%{GREEDYDATA:junk})|(%{GREEDYDATA:pattern}-%{INT:year}-%{INT:month}-%{INT:day})').extract(index_name);
			if (my !=null) {
				emit(my.year+"."+my.month+"."+my.day);
			}
		}
	}
}

index_stats.index_pattern

This useful to extract all indices or data stream and find out the index pattern the index. This is useful for aggregating data usage.

if (doc['index_stats.index'].size() != 0){
	def index_name = doc['index_stats.index'].value;
	if (index_name !=null) {
		if (index_name =~ /[12][0-9]{3}./) { // match year pattern like 1903, 2021
			Map my=grok('(%{GREEDYDATA:pattern}-%{INT:year}\\.%{INT:month}\\.%{INT:day})|(%{GREEDYDATA:pattern}-%{INT:year}\\.%{INT:month}\\.%{INT:day}-%{GREEDYDATA:junk2})|(%{GREEDYDATA:pattern}-%{INT:year}-%{INT:month}-%{INT:day})').extract(index_name);
			if (my !=null){
				emit(my.pattern);
			}
		}
	} else {
		emit(index_name);
	}

}

logger.category

You can use this to extract logger from applications to aggregate data in higher hierarchical level.

if (doc['logger.keyword'].size() != 0){
	def fullname = doc['logger.keyword'].value;
	def xpack="org.elasticsearch.xpack";
	def http="org.elasticsearch.http";
	def org="org.elasticsearch";
	if (fullname !=null){
		if (fullname =~ /org.elasticsearch.http/) {
			def prefix = fullname.substring(http.length()+1);
			int firstDotIndex = prefix.indexOf('.');
			emit(prefix.substring(0,firstDotIndex));
		}
		else if (fullname =~ /org.elasticsearch.xpack/) {
			def prefix = fullname.substring(xpack.length()+1);
			int firstDotIndex = prefix.indexOf('.');
			emit(prefix.substring(0,firstDotIndex));
		}
		else if (fullname =~ /org.elasticsearch/) {
			def prefix = fullname.substring(org.length()+1);
			int firstDotIndex = prefix.indexOf('.');
			emit(prefix.substring(0,firstDotIndex));
		}
	}
}

version_for_sorting

This is because traditionally we have x.y.z as version number which is not sortable (where it treat as numerical sorting, so the order becomes 7.1.0, 7.10.1, 7.2.0 etc) and not queryable. One cannot say I want to check versions greater than x.y.z . But with 0x0y0z model, it can achieve both.

If you have permission to modify mapping of the index, you should change it to version type, then there will be no need to use runtime field here.

if (doc['version.keyword'].size() != 0){
	def version = doc['version.keyword'].value;
	if (version !=null){
		int firstDot = version.indexOf('.');
		int secondDot = version.indexOf('.', firstDot+1);
		def major = version.substring(0,firstDot);
		def minor = version.substring(firstDot+1,secondDot);
		def patch = version.substring(secondDot+1);

		while (major.length() < 2){
			major="0"+major
		}
		while (minor.length() < 2){
			minor="0"+minor
		}
		while (patch.length() < 2){
			patch="0"+patch
		}
		emit(major+minor+patch);
	}
}

Elastic Runtime field examples from Graham

Sorted day of week

A day of the week that’s sortable in visualizations. This is an extension to the date math group of runtime fields. More date masks can be found in the Java docs.

ZonedDateTime input = doc['timestamp'].value;
String output = input.format(DateTimeFormatter.ofPattern('e')) + ' ' + input.format(DateTimeFormatter.ofPattern('E'));
emit(output);

Return a static value when a condition is met

This runtime field can be useful for integrating event style information into visualizations. The example is using “record_score” from ML Anomalies to only show the anomalies over a certain score….but don’t show the score itself on the visualization. This runtime field accounts for empty values in the first conditional. You can take this example runtime field and easily adapt to any other numeric field. You also could add multiple categories and expose this field as a keyword field.

//Return a 1 when there is a specific value
if (doc['record_score'].size()==0) {
	emit(0);
} else {
	if (doc['record_score'].value > 0.5 ) {
		emit(1);
	} else {
		emit(0);
	}
}
content share admin

About the author: Creator of the Elastic Content Share.

2 comments

  1. Doeѕ your site have a contact page? I’m having trouble locating
    it but, I’d like to send you an e-mail. I’ve got some ideas for your bⅼοg
    you might be interested in hearing. Either wɑy, ցreat site and
    I look forwаrd to seeing it improve over time.

Leave a Reply

Your email address will not be published.