It's something along the lines of the following:
filter {
ruby {
code => 'field_name = "update_script"
condCol = event.get("condCol")
arr = []
script = "if (ctx._source.#{condCol} > params.event.get(\"#{condCol}\")) { ctx.op = \"none\" } else {<update>}"
event.to_hash.each do |key,value|
next if key.start_with?("@")
arr.push("ctx._source.#{key} = params.event.get(\"#{key}\")")
end
updates = arr.join(";")
script.sub!("<update>",updates)
event.set(field_name,script)'
}
}
And then in the elasticsearch output plugin:
script => "%{update_script}"
This assumes there is a "condCol" field in the input that describes which field should be used for the condition.
Also, this assumes the data is flat (or that you don't care about nesting) - there is no deep merge going on here, top level values get fully overwritten.