Cant access fields from log using query template
I have an instance of logstash which I want to use to enrich a field on incomming logs by querying elasticsearch then add the result to the recieved log.
I have configured it using the resources available however the field is not being updated.
My configurations are below.
pipeline.yml
mutate { add_field => { "destination.geo.name" => "none" }}
elasticsearch {
hosts => ["https://eshost1"]
#ssl => true (Not used due to a mention there is a bug with using ssl and instead use https)
ca_file => "/path/to/cert.crt"
user => "logstash"
password => "password"
index => "index-ap*"
query_template => "/path/to/ap_query.json"
fields => { "Map Location" => "destination.geo.name" }
}
ap_query.json
{
"size": 1,
"sort" : [ { "@timestamp" : "desc" } ],
"query": {
"match_phrase": {
"Base Radio MAC Address": "%{[destination][address]}"
}
},
"_source": ["Map Location"]
}
Logstash is opertaing completly as expected apart from this section.
Any help would be greatly appreciated.