github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-28 11:05:39 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/docs/management/manage-data-views.asciidoc
Davis McPhee 4215a637da
[Data Views] Disable scripted field creation in the Data Views management page (#202250) 
## Summary

Scripted fields in data views have been deprecated since 7.13, and
superseded by runtime fields.

The ability to create new scripted fields has been removed from the Data
Views management page in 9.0. Existing scripted fields can still be
edited or deleted, and the creation UI can be accessed by navigating
directly to
`/app/management/kibana/dataViews/dataView/{dataViewId}/create-field`,
but it is recommended to migrate to runtime fields or ES|QL instead to
prepare for removal.

Additionally, the scripted fields entry in the Upgrade Assistant has
been updated to reflect these changes, improve migration instructions,
and surface the full list of data views across all spaces that contain
scripted fields as well as their associated spaces. New documentation
has been added to the "Manage data views" page with examples and
instructions to help users migrate off scripted fields to runtime fields
or ES|QL, which is also linked to from the Upgrade Assistant entry.

Data Views management page:

![management](https://github.com/user-attachments/assets/ed42310c-d7fa-48ba-8430-533e9230b48d)

Upgrade Assistant:
<img
src="https://github.com/user-attachments/assets/4ff27866-4fe8-4357-82e8-cd4c503ab50b"
width="500" />

Resolves #182067.

### Checklist

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [x] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Matt Kime <matt@mattki.me>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
2024-12-05 20:11:34 -04:00

384 lines
14 KiB
Text
Raw Blame History

[[managing-data-views]]
== Manage data views
:frontmatter-description: Conceptual and step-by-step procedures for using runtime fields, scripted fields, and field formatters.
:frontmatter-tags-products: [kibana]
To customize the data fields in your data view,
you can add runtime fields to the existing documents,
add scripted fields to compute data on the fly, and change how {kib} displays the data fields.
[float]
[[runtime-fields]]
=== Explore your data with runtime fields
Runtime fields are fields that you add to documents after you've ingested your data, and are evaluated at query time. With runtime fields, you allow for a smaller index and faster ingest time so that you can use less resources and reduce your operating costs.
You can use runtime fields anywhere data views are used, for example, you can explore runtime fields in *Discover* and create visualizations with runtime fields for your dashboard.
With runtime fields, you can:
* Define fields for a specific use case without modifying the underlying schema.
* Override the returned values from index fields.
* Start working on your data without understanding the structure.
* Add fields to existing documents without reindexing your data.
WARNING: Runtime fields can impact {kib} performance. When you run a query, {es} uses the fields you index first to shorten the response time.
Index the fields that you commonly search for and filter on, such as `timestamp`, then use runtime fields to limit the number of fields {es} uses to calculate values.
For detailed information on how to use runtime fields with {es}, refer to {ref}/runtime.html[Runtime fields].
[float]
[[create-runtime-fields]]
==== Add runtime fields
To add runtime fields to your data views, open the data view you want to change,
then define the field values by emitting a single value using
the {ref}/modules-scripting-painless.html[Painless scripting language].
You can also add runtime fields in <<add-field-in-discover,*Discover*>> and <<change-the-fields,*Lens*>>.
. Go to the *Data Views* management page using the navigation menu or the <<kibana-navigation-search,global search field>>.
. Select the data view that you want to add the runtime field to, then click *Add field*.
. Enter the field *Name*, then select the *Type*.
. Select *Set custom label*, then enter the label you want to display where the data view is used,
such as *Discover*.
. Select *Set value*, then define the script. The script must match the *Type*, or the data view fails anywhere it is used.
. To help you define the script, use the *Preview*:
* To view the other available fields, use the *Document ID* arrows.
* To filter the fields list, enter the keyword in *Filter fields*.
* To pin frequently used fields to the top of the list, hover over the field,
then click image:images/stackManagement-indexPatterns-pinRuntimeField-7.15.png[Icon to pin field to the top of the list].
. Click *Create field*.
[float]
[[runtime-field-examples]]
==== Runtime field examples
Try the runtime field examples on your own using the <<gs-get-data-into-kibana,*Sample web logs*>> data.
[float]
[[simple-hello-world-example]]
==== Return a keyword value
Return `Hello World!`:
[source,text]
----
emit("Hello World!");
----
image:management/images/runtime_field.png[Runtime field with keyword type]
[float]
[[perform-a-calculation-on-a-single-field]]
==== Perform a calculation on a single field
Calculate kilobytes from bytes:
[source,text]
----
emit(doc['bytes'].value / 1024)
----
[float]
[[return-substring]]
==== Return a substring
Return the string that appears after the last slash in the URL:
[source,text]
----
def path = doc["url.keyword"].value;
if (path != null) {
int lastSlashIndex = path.lastIndexOf('/');
if (lastSlashIndex > 0) {
emit(path.substring(lastSlashIndex+1));
return;
}
}
emit("");
----
[float]
[[composite-runtime-field]]
==== Return multiple fields with a composite runtime field
A single runtime field can also produce multiple subfields when the type `Composite` is selected. The script editor provides default types that can be customized for each subfields.
Return `keyword` and `double` type subfields. Note that the first argument for `emit` is the name of the subfield.
[source,text]
----
emit('subfield_a', 'Hello');
emit('subfield_b', 42);
----
image:management/images/runtime_field_composite.png[Runtime field with composite type]
[float]
[[replace-nulls-with-blanks]]
==== Replace nulls with blanks
Replace `null` values with `None`:
[source,text]
----
def source = doc['referer'].value;
if (source != null) {
emit(source);
return;
}
else {
emit("None");
}
----
Specify the operating system condition:
[source,text]
----
def source = doc['machine.os.keyword'].value;
if (source != "") {
emit(source);
}
else {
emit("None");
}
----
[float]
[[manage-runtime-fields]]
==== Manage runtime fields
Edit the settings for runtime fields, or remove runtime fields from data views.
. Go to the *Data Views* management page using the navigation menu or the <<kibana-navigation-search,global search field>>.
. Select the data view that contains the runtime field you want to manage, then open the runtime field edit options or delete the runtime field.
[float]
[[scripted-fields]]
=== Add scripted fields to data views
deprecated::[7.13,Use {ref}/runtime.html[runtime fields] instead of scripted fields. Runtime fields support Painless scripting and provide greater flexibility. You can also use the {ref}/esql.html[Elasticsearch Query Language (ES|QL)] to compute values directly at query time.]
Scripted fields compute data on the fly from the data in your {es} indices. The data is shown on
the Discover tab as part of the document data, and you can use scripted fields in your visualizations. You query scripted fields with the <<kuery-query, {kib} query language>>, and can filter them using the filter bar. The scripted field values are computed at query time, so they aren't indexed and cannot be searched using the {kib} default
query language.
WARNING: Computing data on the fly with scripted fields can be very resource intensive and can have a direct impact on
{kib} performance. Keep in mind that there's no built-in validation of a scripted field. If your scripts are
buggy, you'll get exceptions whenever you try to view the dynamically generated data.
When you define a scripted field in {kib}, you have a choice of the {ref}/modules-scripting-expression.html[Lucene expressions] or the
{ref}/modules-scripting-painless.html[Painless] scripting language.
You can reference any single value numeric field in your expressions, for example:
----
doc['field_name'].value
----
For more information on scripted fields and additional examples, refer to
https://www.elastic.co/blog/using-painless-kibana-scripted-fields[Using Painless in {kib} scripted fields]
[float]
[[migrate-off-scripted-fields]]
==== Migrate to runtime fields or ES|QL queries
The following code snippets demonstrate how an example scripted field called `computed_values` on the Kibana Sample Data Logs data view could be migrated to either a runtime field or an ES|QL query, highlighting the differences between each approach.
[float]
[[scripted-field-example]]
===== Scripted field
In the scripted field example, variables are created to track all values the script will need to access or return. Since scripted fields can only return a single value, the created variables must be returned together as an array at the end of the script.
[source,text]
----
def hour_of_day = $('@timestamp', ZonedDateTime.parse('1970-01-01T00:00:00Z')).getHour();
def time_of_day = '';
if (hour_of_day >= 22 || hour_of_day < 5)
time_of_day = 'Night';
else if (hour_of_day < 12)
time_of_day = 'Morning';
else if (hour_of_day < 18)
time_of_day = 'Afternoon';
else
time_of_day = 'Evening';
def response_int = Integer.parseInt($('response.keyword', '200'));
def response_category = '';
if (response_int < 200)
response_category = 'Informational';
else if (response_int < 300)
response_category = 'Successful';
else if (response_int < 400)
response_category = 'Redirection';
else if (response_int < 500)
response_category = 'Client Error';
else
response_category = 'Server Error';
return [time_of_day, response_category];
----
[float]
[[runtime-field-example]]
===== Runtime field
Unlike scripted fields, runtime fields do not need to return a single value and can emit values at any point in the script, which will be combined and returned as a multi-value field. This allows for more flexibility in the script logic and removes the need to manually manage an array of values.
[source,text]
----
def hour_of_day = $('@timestamp', ZonedDateTime.parse('1970-01-01T00:00:00Z')).getHour();
if (hour_of_day >= 22 || hour_of_day < 5)
emit('Night');
else if (hour_of_day < 12)
emit('Morning');
else if (hour_of_day < 18)
emit('Afternoon');
else
emit('Evening');
def response_int = Integer.parseInt($('response.keyword', '200'));
if (response_int < 200)
emit('Informational');
else if (response_int < 300)
emit('Successful');
else if (response_int < 400)
emit('Redirection');
else if (response_int < 500)
emit('Client Error');
else
emit('Server Error');
----
[float]
[[esql-example]]
===== ES|QL query
Alternatively, ES|QL can be used to skip the need for data view management entirely and simply compute the values you need at query time. ES|QL supports computing multiple field values in a single query, using computed values with its rich set of commands and functions, and even aggregations against computed values. This makes it an excellent solution for one-off queries and realtime data analysis.
[source,esql]
----
FROM kibana_sample_data_logs
| EVAL hour_of_day = DATE_EXTRACT("HOUR_OF_DAY", @timestamp)
| EVAL time_of_day = CASE(
hour_of_day >= 22 OR hour_of_day < 5, "Night",
hour_of_day < 12, "Morning",
hour_of_day < 18, "Afternoon",
"Evening"
)
| EVAL response_int = TO_INTEGER(response)
| EVAL response_category = CASE(
response_int < 200, "Informational",
response_int < 300, "Successful",
response_int < 400, "Redirection",
response_int < 500, "Client Error",
"Server Error"
)
| EVAL computed_values = MV_APPEND(time_of_day, response_category)
| DROP hour_of_day, time_of_day, response_int, response_category
----
[float]
[[update-scripted-field]]
==== Manage scripted fields
WARNING: The ability to create new scripted fields has been removed from the *Data Views* management page in 9.0. Existing scripted fields can still be edited or deleted, and the creation UI can be accessed by navigating directly to `/app/management/kibana/dataViews/dataView/{dataViewId}/create-field`, but we recommend migrating to runtime fields or ES|QL queries instead to prepare for removal.
. Go to the *Data Views* management page using the navigation menu or the <<kibana-navigation-search,global search field>>.
. Select the data view that contains the scripted field you want to manage.
. Select the *Scripted fields* tab, then open the scripted field edit options or delete the scripted field.
For more information about scripted fields in {es}, refer to {ref}/modules-scripting.html[Scripting].
WARNING: Built-in validation is unsupported for scripted fields. When your scripts contain errors, you receive
exceptions when you view the dynamically generated data.
[float]
[[managing-fields]]
=== Format data fields
{kib} uses the same field types as {es}, however, some {es} field types are unsupported in {kib}.
To customize how {kib} displays data fields, use the formatting options.
. Go to the *Data Views* management page using the navigation menu or the <<kibana-navigation-search,global search field>>.
. Click the data view that contains the field you want to change.
. Find the field, then open the edit options (image:management/index-patterns/images/edit_icon.png[Data field edit icon]).
. Select *Set custom label*, then enter a *Custom label* for the field.
. Select *Set format*, then enter the *Format* for the field.
NOTE: For numeric fields the default field formatters are based on the `meta.unit` field. The unit is associated with a {ref}/api-conventions.html#time-units[time unit], percent, or byte. The convention for percents is to use value 1 to mean 100%.
[float]
[[string-field-formatters]]
==== String field formatters
String fields support *String* and *Url* formatters.
include::field-formatters/string-formatter.asciidoc[]
include::field-formatters/url-formatter.asciidoc[]
[float]
[[field-formatters-date]]
==== Date field formatters
Date fields support *Date*, *String*, and *Url* formatters.
The *Date* formatter enables you to choose the display format of date stamps using the https://momentjs.com/[moment.js]
standard format definitions.
include::field-formatters/string-formatter.asciidoc[]
include::field-formatters/url-formatter.asciidoc[]
[float]
[[field-formatters-geopoint]]
==== Geographic point field formatters
Geographic point fields support the *String* formatter.
include::field-formatters/string-formatter.asciidoc[]
[float]
[[field-formatters-numeric]]
==== Number field formatters
Numeric fields support *Bytes*, *Color*, *Duration*, *Histogram*, *Number*, *Percentage*, *String*, and *Url* formatters.
The *Bytes*, *Number*, and *Percentage* formatters enable you to choose the display formats of numbers in the field using
the <<numeral, Elastic numeral pattern>> syntax that {kib} maintains.
The *Histogram* formatter is used only for the {ref}/histogram.html[histogram field type]. When you use the *Histogram* formatter,
you can apply the *Bytes*, *Number*, or *Percentage* format to aggregated data.
include::field-formatters/url-formatter.asciidoc[]
include::field-formatters/string-formatter.asciidoc[]
include::field-formatters/duration-formatter.asciidoc[]
include::field-formatters/color-formatter.asciidoc[]
Reference in a new issue View git blame Copy permalink