Siren Platform User Guide

Scripted fields

Scripted fields compute data on the fly from the data in your Elasticsearch indices. Scripted field data is shown on the Discover tab as part of the document data, and you can use scripted fields in your visualizations. Scripted field values are computed at query time so they are not indexed and cannot be searched. Note that Siren Investigate cannot query scripted fields.

Caution

Computing data on the fly with scripted fields can be very resource intensive and can have a direct impact on Siren Investigate’s performance. Keep in mind that there’s no built-in validation of a scripted field. If your scripts are buggy, you will get exceptions whenever you try to view the dynamically generated data.

When you define a scripted field in Siren Investigate, you have a choice of scripting languages. Starting with 5.0, the default options are Lucene expressions and Painless. While you can use other scripting languages if you enable dynamic scripting for them in Elasticsearch, this is not recommended because they cannot be sufficiently sandboxed.

Note

Use of Groovy, Javascript, and Python scripting is deprecated starting in Elasticsearch 5.0, and support for those scripting languages will be removed in the future.

You can reference any single value numeric field in your expressions, for example:

doc['field_name'].value

For more background on scripted fields and additional examples, refer to Using Painless in Kibana scripted fields.

Creating a scripted field

  1. Go to Settings > Indices.
  2. Select the index pattern you want to add a scripted field to.
  3. Go to the pattern’s Scripted Fields tab.
  4. Click Add Scripted Field.
  5. Enter a name for the scripted field.
  6. Enter the expression that you want to use to compute a value on the fly from your index data.
  7. Click Save Scripted Field.

For more information about scripted fields in Elasticsearch, see Scripting.

Modifying a scripted field

  1. Go to Settings > Indices
  2. Click Edit for the scripted field you want to change.
  3. Make your changes and then click Save Scripted Field to update the field.

Deleting a scripted field

  1. Go to Settings > Indices.
  2. Click Delete for the scripted field you want to remove.
  3. Confirm that you really want to remove the field.

Search results

    No results found