Combine multiple sources

Hornov · August 4, 2015, 12:07pm

I've logs from multiple sources for the same user. But I need to report fields of this differents sources. Is it possible to store all this data in the same document ?
Thanks

magnusbaeck · August 4, 2015, 12:17pm

Please see this topic:

Hornov · August 4, 2015, 2:23pm

Thanks but I don't understand how to do the merging on the Elasticsearch side. Somebody could help me ?

magnusbaeck · August 4, 2015, 2:40pm

It'll be easier to help if you can ask a more specific question. What kind of sources do you have? What fields will each source contribute with?

Hornov · August 5, 2015, 8:48am

I've a xml file like this :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

< devices>
    < device id="413">
        < uuid>2ab941ea-fa62-477b-bfc7-e5a101ac2df7</uuid>
        < principal>152100</principal>
        ...
    < /device>
< /devices>

a csv file like this :
PRINCIPAL;FUNCTIONAL_EXPORT_DATE;LENGTH(FILE_CONTENT)
152100;01/07/2015;88576

and an other like this :
PRINCIPAL;CART_ID;UPDATE_DATE;TOTAL_AMOUNT
152100;10776692;03/08/2015;2

and I would like to join all of this on the field PRINCIPAL

magnusbaeck · August 5, 2015, 9:43am

Argh, crap. Sorry. Elasticsearch won't actually merge the documents for you. In this case I don't have a simple solution for you.

Hornov · September 3, 2015, 3:42pm

If someone meets the same difficulty I managed to use in logstash the filter plugin elasticsearch.

sush · December 2, 2015, 2:57pm

Hi Hornov,

I need to do the same with two csv files, Can you give me a sample of your logstash config file, as how exactly did you use the elasticsearch plugin. I have been playing around the options in the plugin, couldn't find it

Thanks

Hornov · December 2, 2015, 3:29pm

Not being a native English speaker, sorry in advance for English

With the elasticsearch plugin I can search the first document, my rule to find the original document is a litle bit more complicated than keysourcea=keysourceb but the idea is :
I store my file A then my file B.
The config file of the file b is something like :
elasticsearch {
hosts => ["myhost/myindex"]
query => "myquerrystring AND keysourcea:%{keysourceb}"
fields => ["MY_FIELD1","MY_FIELD1","MY_FIELD2","MY_FIELD2",...]
sort => "TIMESTAMP_EVT:desc"
}

but the best way if you can define a key is to put in your output elasticsearch :
action => "update"
doc_as_upsert => true
document_id => "%{yourkey}"
The doc_as_upsert is only useful if both files can come in the same time.

sush · December 4, 2015, 9:35am

Thank you so much for the reply.
But it didn't work for my case, I needed many to many relation to work.
Any how your reply did help in clarifying some doubts.
Thank again

Hornov · December 4, 2015, 11:38am

If you've many to many relations the elasticsearch filter can't help you because, you can only find 1 other event.
I think the best way is to make the relation before if you can (repeat the second file (or a part) for every (or some) lines of the first).

Topic		Replies	Views
Possible to use logstash to merge data from multiple files? Logstash	3	3678	July 6, 2017
Comparing and Combining fields from " Different LOG TYPES " and form a new field Logstash	1	390	October 12, 2017
Merge data from several csv sources Logstash	5	317	January 19, 2021
Logstash xml filter Logstash	2	310	October 3, 2018
Parsing and combining different CSV files in logstash Logstash	12	4364	February 15, 2018

Combine multiple sources

Related topics