Pipeline Rules and when condition: string v. integer

All,

Have a field “myfield” where its value needs to be tested in order to determine if it meets the regex of /^[[:digit:]]{1,}$/ or not.

Example values:
car
blue
150
horse
boat
182
banana
v9t1z

Need to structure a rule where its something along the lines of:

when
has_field(“myfield”) && regex("^\d+$",to_string($message.myfield).matches == false

The parser barks about using “has_field” and “regex” at the same time. is_number/is_long/… do not appear to result in matching where the field’s value is ^\d+$

The goal is to match (or ignore) any instance who’s value meets: /^[[:digit:]]{1,}$/

Unfortunately, between regex, is_number and some other more circuitous attempts - nothing has netted the ability to perform that test on a field’s value.

Any suggestions?

Thanks!

It is likely that Elasticsearch has saved the field as a keyword rather than long. You can query the Elasticsearch database to see with something like this:

curl -X GET -netrc "elstc-main:9200/*/_mapping/field/myfield?pretty" | grep -B 7 keyword

If this is the case, you can either correct Elasticsearch with a custom field or you could try to convert it to a long as part of your test - if it gets 0 (or whatever you define… like 7777 ) it couldn’t convert it to a long and is therefor not a number

rule "does it number"

when

has_field("myfield")       && 
to_long($message.myfield, 7777) != 7777

then
   //
   //  some action here 
   //
end

On a side note, I used the forum tools </> to make my code readable and easily copy/pastable… it helps for questions and answers!

Thank you for the response!

Interesting possibility… Will need to play - that may just solve the issue!

Given that the values for the field could be: int, char or a mix of char+int - wouldn’t trying to convert the underlying field fail or create an issue for Elasticsearch?

RE: code tag, definitely need to review those.

Thanks!

That is true - if the field is always coming in mixed, it will have to be a keyword or Elasticsearch will be unhappy. Once you have proved it can be numeric, you could create a new long field in case you needed a number for dashboard calculations/visuals.

rule "convert to long - maybe"

when

has_field("myfield")       && 
to_long($message.myfield, 7777) != 7777

then
   //
   set_field("mylongfield", to_long($message.myfield)); 
   //
end

Just to follow up on this - your solution absolutely solved the need! THANKS!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.