Scripted Fields

edit

Scripted fields compute data on the fly from the data in your Elasticsearch indices. Scripted field data is shown on the Discover tab as part of the document data, and you can use scripted fields in your visualizations. Scripted field values are computed at query time so they aren’t indexed and cannot be searched.

Kibana cannot query scripted fields.

Computing data on the fly with scripted fields can be very resource intensive and can have a direct impact on Kibana’s performance. Keep in mind that there’s no built-in validation of a scripted field. If your scripts are buggy, you’ll get exceptions whenever you try to view the dynamically generated data.

When you define a scripted field in Kibana, you have a choice of scripting languages. Starting with 5.0, the default options are Lucene expressions and Painless. While you can use other scripting languages if you enable dynamic scripting for them in Elasticsearch, this is not recommended because they cannot be sufficiently sandboxed.

Use of Groovy, Javascript, and Python scripting is deprecated starting in Elasticsearch 5.0, and support for those scripting languages will be removed in the future.

You can reference any single value numeric field in your expressions, for example:

doc['field_name'].value

For more background on scripted fields and additional examples, refer to this blog: Using Painless in Kibana scripted fields

Creating a Scripted Field

edit

To create a scripted field:

  1. Go to Settings > Indices
  2. Select the index pattern you want to add a scripted field to.
  3. Go to the pattern’s Scripted Fields tab.
  4. Click Add Scripted Field.
  5. Enter a name for the scripted field.
  6. Enter the expression that you want to use to compute a value on the fly from your index data.
  7. Click Save Scripted Field.

For more information about scripted fields in Elasticsearch, see Scripting.

Updating a Scripted Field

edit

To modify a scripted field:

  1. Go to Settings > Indices
  2. Click the Edit button for the scripted field you want to change.
  3. Make your changes and then click Save Scripted Field to update the field.

Keep in mind that there’s no built-in validation of a scripted field. If your scripts are buggy, you’ll get exceptions whenever you try to view the dynamically generated data.

Deleting a Scripted Field

edit

To delete a scripted field:

  1. Go to Settings > Indices
  2. Click the Delete button for the scripted field you want to remove.
  3. Confirm that you really want to delete the field.