elasticsearch

mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-28 09:28:55 -04:00

History

Luca Cavanna 32d2f60f8a Emit multiple fields from a runtime field script (#75108 ) We have recently introduced support for grok and dissect to the runtime fields Painless context that allows to split a field into multiple fields. However, each runtime field can only emit values for a single field. This commit introduces support for emitting multiple fields from the same script. The API call to define a runtime field that emits multiple fields is the following: ``` PUT localhost:9200/logs/_mappings { "runtime" : { "log" : { "type" : "composite", "script" : "emit(grok(\"%{COMMONAPACHELOG}\").extract(doc[\"message.keyword\"].value))", "fields" : { "clientip" : { "type" : "ip" }, "response" : { "type" : "long" } } } } } ``` The script context for this new field type accepts two emit signatures: * `emit(String, Object)` * `emit(Map)` Sub-fields need to be declared under fields in order to be discoverable through the field_caps API and accessible through the search API. The way that it emits multiple fields is by returning multiple MappedFieldTypes from RuntimeField#asMappedFieldTypes. The sub-fields are instances of the runtime fields that are already supported, with a little tweak to adapt the script defined by their parent to an artificial script factory for each of the sub-fields that makes its corresponding sub-field accessible. This approach allows to reuse all of the existing runtime fields code for the sub-fields. The runtime section has been flat so far as it has not supported objects until now. That stays the same, meaning that runtime fields can have dots in their names. Because there are though two ways to create the same field with the introduction of the ability to emit multiple fields, we have to make sure that a runtime field with a certain name cannot be defined twice, which is why the following mappings are rejected with the error `Found two runtime fields with same name [log.response]`: ``` PUT localhost:9200/logs/_mappings { "runtime" : { "log.response" : { "type" : "keyword" }, "log" : { "type" : "composite", "script" : "emit(\"response\", grok(\"%{COMMONAPACHELOG}\").extract(doc[\"message.keyword\"].value)?.response)", "fields" : { "response" : { "type" : "long" } } } } } ``` Closes #68203	2021-08-10 13:07:53 +01:00
..
src	Emit multiple fields from a runtime field script (#75108 )	2021-08-10 13:07:53 +01:00
build.gradle	Apply REST API compatibility testing for the :modules (#71137 )	2021-04-02 11:20:54 -05:00

Emit multiple fields from a runtime field script (#75108 )

We have recently introduced support for grok and dissect to the runtime fields 
Painless context that allows to split a field into multiple fields. However, each runtime 
field can only emit values for a single field. This commit introduces support for emitting 
multiple fields from the same script.

The API call to define a runtime field that emits multiple fields is the following:

```
PUT localhost:9200/logs/_mappings
{
    "runtime" : {
      "log" : {
        "type" : "composite",
        "script" : "emit(grok(\"%{COMMONAPACHELOG}\").extract(doc[\"message.keyword\"].value))",
        "fields" : {
            "clientip" : {
                "type" : "ip"
            },
            "response" : {
                "type" : "long"
            }
        }
      }
    }
}
```

The script context for this new field type accepts two emit signatures:

* `emit(String, Object)`
* `emit(Map)`

Sub-fields need to be declared under fields in order to be discoverable through 
the field_caps API and accessible through the search API. 

The way that it emits multiple fields is by returning multiple MappedFieldTypes 
from RuntimeField#asMappedFieldTypes. The sub-fields are instances of the 
runtime fields that are already supported, with a little tweak to adapt the script 
defined by their parent to an artificial script factory for each of the sub-fields 
that makes its corresponding sub-field accessible. This approach allows to reuse 
all of the existing runtime fields code for the sub-fields.

The runtime section has been flat so far as it has not supported objects until now. 
That stays the same, meaning that runtime fields can have dots in their names. 
Because there are though two ways to create the same field with the introduction 
of the ability to emit multiple fields, we have to make sure that a runtime field with 
a certain name cannot be defined twice, which is why the following mappings are 
rejected with the error `Found two runtime fields with same name [log.response]`:

```
PUT localhost:9200/logs/_mappings
{
    "runtime" : {
        "log.response" : {
            "type" : "keyword"
        },
        "log" : {
            "type" : "composite",
            "script" : "emit(\"response\", grok(\"%{COMMONAPACHELOG}\").extract(doc[\"message.keyword\"].value)?.response)",
            "fields" : {
                "response" : {
                    "type" : "long"
                }
            }
        }
    }
}
```

Closes #68203

2021-08-10 13:07:53 +01:00

src

Emit multiple fields from a runtime field script (#75108 )

2021-08-10 13:07:53 +01:00

build.gradle

Apply REST API compatibility testing for the :modules (#71137 )

2021-04-02 11:20:54 -05:00