OK, the use case where I did this was parsing SiteMinder trace logs, where every line has a correlation id and one piece of information about the request. I needed to gather all the information about one request into a single document. I did this by doing a bulk update using doc_as_upsert. One update for each input line.
So, provided that you can use the 'ID appelSVI' as the document id, what you could do is something like
output {
if [Type] == "SVI" {
file { path => "/some/path/out.txt" codec => plain { format => '{ "update" : {"_id" : "%{ID appelSVI}", "_type" : "doc", "_index" : "someindex"} }
{ "doc": "Passage par SVI": true, "doc_as_upsert" : true }
' } }
}
}
Then
curl -X POST 'localhost:9200/someindex/doc/_bulk' -H "Content-Type:application/json" --data-binary @/some/path/out.txt