Conditional update to the document

Dan_Markhasin · June 3, 2017, 4:09pm

It's something along the lines of the following:

filter {
  ruby {
    code => 'field_name = "update_script"
             condCol = event.get("condCol")
             arr = []
             script = "if (ctx._source.#{condCol} > params.event.get(\"#{condCol}\")) { ctx.op = \"none\" } else {<update>}"
             event.to_hash.each do |key,value|
              next if key.start_with?("@")
              arr.push("ctx._source.#{key} = params.event.get(\"#{key}\")")
             end
             updates = arr.join(";")
             script.sub!("<update>",updates)
             event.set(field_name,script)'
    }
}

And then in the elasticsearch output plugin:

script => "%{update_script}"

This assumes there is a "condCol" field in the input that describes which field should be used for the condition.
Also, this assumes the data is flat (or that you don't care about nesting) - there is no deep merge going on here, top level values get fully overwritten.

Topic		Replies	Views
Update(upsert) with query support Elasticsearch	6	2325	July 6, 2018
Upsert data using painless script if updated_at is higher than previous document Elasticsearch painless , eql-elastic-query-language	2	714	February 15, 2022
How to use Java api UpdateRequest for conditional write with optimistic locking control in place Elasticsearch language-clients	1	229	April 6, 2023
How to update date field in elasticsearch if it has "-" Elasticsearch	7	4943	July 5, 2017
Concurrent update Elasticsearch	2	1200	July 6, 2017

Conditional update to the document

Related Topics