https://community.splunk.com/t5/Splunk-Search/Issed-when-search-with-script-from-OpenSearch/m-p/704123#M238630 <P>I tried to search data with dynamic script:</P><P>&nbsp;</P><LI-CODE lang="markup">| ecs "opensearch_dashboards_sample_data_flights" "{ \"from\": 0, \"size\": 1000, \"query\": { \"match_all\": {} }, \"script_fields\": { \"fields\": { \"script\": { \"source\": \\\"def fields = params['_source'].keySet(); def result = new HashMap(); for (field in fields) { def value = params['_source'][field]; if (value instanceof String &amp;&amp; value.contains('DE')) { result.put(field, value.replace('DE', 'Germany')); } else { result.put(field, value); }} return result;\\\" } } }, \"track_total_hits\": true }" "only" | table *</LI-CODE><P>&nbsp;</P><P>But it not working. I think the problem is from my source command, but I don't know how to fix this</P><P>&nbsp;</P><LI-CODE lang="markup">\"source\": \\\"def fields = params['_source'].keySet(); def result = new HashMap(); for (field in fields) { def value = params['_source'][field]; if (value instanceof String &amp;&amp; value.contains('DE')) { result.put(field, value.replace('DE', 'Germany')); } else { result.put(field, value); }} return result;\\\" </LI-CODE><P>&nbsp;</P><P>&nbsp;Hope someone can help me fix this. Thank very much for speding tim for my issue.</P> Tue, 12 Nov 2024 03:48:44 GMT kietluu 2024-11-12T03:48:44Z https://community.splunk.com/t5/Splunk-Search/Issed-when-search-with-script-from-OpenSearch/m-p/704123#M238630 <P>I tried to search data with dynamic script:</P><P>&nbsp;</P><LI-CODE lang="markup">| ecs "opensearch_dashboards_sample_data_flights" "{ \"from\": 0, \"size\": 1000, \"query\": { \"match_all\": {} }, \"script_fields\": { \"fields\": { \"script\": { \"source\": \\\"def fields = params['_source'].keySet(); def result = new HashMap(); for (field in fields) { def value = params['_source'][field]; if (value instanceof String &amp;&amp; value.contains('DE')) { result.put(field, value.replace('DE', 'Germany')); } else { result.put(field, value); }} return result;\\\" } } }, \"track_total_hits\": true }" "only" | table *</LI-CODE><P>&nbsp;</P><P>But it not working. I think the problem is from my source command, but I don't know how to fix this</P><P>&nbsp;</P><LI-CODE lang="markup">\"source\": \\\"def fields = params['_source'].keySet(); def result = new HashMap(); for (field in fields) { def value = params['_source'][field]; if (value instanceof String &amp;&amp; value.contains('DE')) { result.put(field, value.replace('DE', 'Germany')); } else { result.put(field, value); }} return result;\\\" </LI-CODE><P>&nbsp;</P><P>&nbsp;Hope someone can help me fix this. Thank very much for speding tim for my issue.</P> Tue, 12 Nov 2024 03:48:44 GMT https://community.splunk.com/t5/Splunk-Search/Issed-when-search-with-script-from-OpenSearch/m-p/704123#M238630 kietluu 2024-11-12T03:48:44Z https://community.splunk.com/t5/Splunk-Search/Issed-when-search-with-script-from-OpenSearch/m-p/704125#M238631 <P>"ecs" is not a native Splunk command. Whatever add-on it came from you need to look in its docs. The only Splunk-related thing is that the string which apparently contains some command for external service must be properly escaped. Other than that it's beyond Splunk realm.</P> Tue, 12 Nov 2024 04:59:03 GMT https://community.splunk.com/t5/Splunk-Search/Issed-when-search-with-script-from-OpenSearch/m-p/704125#M238631 PickleRick 2024-11-12T04:59:03Z https://community.splunk.com/t5/Splunk-Search/Issed-when-search-with-script-from-OpenSearch/m-p/704136#M238632 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;thank you&nbsp;</P> Tue, 12 Nov 2024 06:46:38 GMT https://community.splunk.com/t5/Splunk-Search/Issed-when-search-with-script-from-OpenSearch/m-p/704136#M238632 kietluu 2024-11-12T06:46:38Z