They arrive in an uncontrolled manner:
-sometimes MSG_TYPE:1 comes first,
-sometimes MSG_TYPE:2 comes first,
-sometimes only one of them arrive,
-they never arrive from the same file.
I need to write such logstash config that only MSG_TYPE:1 info would be updated and I need to add additional field indicating which came first. For example if MSG_TYPE:2 came second it should look like that:
THREAD_ID:101 MSG_TYPE:2 FINAL_STATE:DELIVERED RECEIVED:1,2
And if it arrived first:
THREAD_ID:101 MSG_TYPE:2 FINAL_STATE:DELIVERED RECEIVED:2,1
The solution I'm looking for should work in real time. Could you please advise me on what filters or methods to use in this case?
I think you could do this with the "update" action on the Elasticsearch output. You would need to set the DOC_ID. I assume your thread_id field is unique?
Yes it is unique and I do know how to set DOC_ID. But with the update action message is updated by whichever comes last, isn't it? So in this case it works only if messages comes:
THREAD_ID:101 MSG_TYPE:1 FINAL_STATE:EXPIRED
THREAD_ID:101 MSG_TYPE:2 FINAL_STATE:DELIVERED
Then I do get what I initially want:
THREAD_ID:101 MSG_TYPE:2 FINAL_STATE:DELIVERED
But if MSG_TYPE:2 would come first and MSG_TYPE:1 later, my message would look like:
THREAD_ID:101 MSG_TYPE:1 FINAL_STATE:EXPIRED
And I always need to keep the MSG_TYPE:2 information.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.