My server receives events, which then are processed by Logstash and saved into Elasticsearch as documents. I am completely new to ELK and I want to do the following.
- Based on the set of several fields in the received document I want to create a fingerprint.
- Based on this fingerprint I want to create a completely new document. They should have this fingerprint (modified) as ID. I want to modify it by adding some value to the previously created fingerprint, for example, a word "master". Also, I need to include to this document only several specific fields with numbers from the events.
- I want to setup Logstash in a way, that if it receives an event, it creates its fingerprint, and if there is a document with this fingerprint in Elasticsearch, it adds values (numbers) from the event to the fields of this document which is already in the ElasticSearch (in other words, it updates existing document). If there isn't a document with such fingerprint in Elasticsearch yet, it should create such document and simply assign values from the event to the numeric fields of this document.
How should I configure Logstash to do this?