Cant access fields from log using query template for Elasticsearch filter in Logstash

james.garside · January 8, 2020, 6:20pm

Cant access fields from log using query template

I have an instance of logstash which I want to use to enrich a field on incomming logs by querying elasticsearch then add the result to the recieved log.
I have configured it using the resources available however the field is not being updated.

My configurations are below.

pipeline.yml

mutate { add_field => { "destination.geo.name" => "none" }}
elasticsearch {
	hosts => ["https://eshost1"]
	#ssl => true (Not used due to a mention there is a bug with using ssl and instead use https)
	ca_file => "/path/to/cert.crt"
	user => "logstash"
	password => "password"
	index => "index-ap*"
	query_template => "/path/to/ap_query.json"
	fields => { "Map Location" => "destination.geo.name" }
	}

ap_query.json

{
    "size": 1,
    "sort" : [ { "@timestamp" : "desc" } ],
    "query": {
	    "match_phrase": {
		    "Base Radio MAC Address": "%{[destination][address]}"
		    }
	    },
    "_source": ["Map Location"]
}

Logstash is opertaing completly as expected apart from this section.
Any help would be greatly appreciated.

system · February 5, 2020, 6:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to query elasticsearch and take some fields from old data Logstash	3	7566	March 17, 2017
Logstash - aggregation_fields in elasticsearch filter plugin Logstash	2	1181	February 14, 2019
Template fields are missing fields on Kibana Elasticsearch	6	2557	July 6, 2017
Unable to query .keyword fields from an index created using the default logstash template Logstash	10	6545	May 30, 2017
Data isn't indexed by elasticsearch with custom template Elasticsearch	4	538	July 26, 2017

Cant access fields from log using query template for Elasticsearch filter in Logstash

Cant access fields from log using query template

Related topics