Accessing a Separate Index in a Scripted Field

stevenlocke · August 17, 2015, 1:43pm

Is it possible to create a scripted field which reads a value from indexA, performs a search in indexB, then takes that value and stores it back in indexA?

For example, I have an index filled with IP addresses and the companies who own them. In a separate index, I have an IP address and I need to know the company where this traffic is coming from. So ideally, I would read the address, search the other index for the company, then store the company alongside the original address.

Can this be performed at all, so far I've only seen accessing fields in a self-contained index?

Thanks.

warkolm · August 17, 2015, 10:49pm

This is basically a join and you cannot do it inside ES, you'd have to do it outside and then reindex the document.

If you are using the ELK stack then check out the translate filter.

stevenlocke · August 18, 2015, 5:13pm

Not using Logstash, unfortunately.

Any alternatives?

warkolm · August 18, 2015, 9:54pm

Then it's all DIY, externally to ES.