hi,
So I have an issue where some of the documents in my index have a leading / in one of the fields and some do not. I want to remove the leading slash from that field if it is there, and do nothing if it is not. ideally I want to change the actual document, but if there is a way to just have a query strip it out, that would be fine too.
I've seen that there is a way to update an index document-by-document, but it seems like doing that to many documents in one shot is not something Elastic itself offers. Does anyone know of any workaround commands that would have the desired effect, or of a third-party solution?
Here is an example of the issue I have -
Bad Document - (note the value in the api_call field. This is what I want to change)
{
"_index": "px-ext-access-2017.09.13",
"_type": "px-ext-access",
"_id": "AV55ZRE7BTtqfj_T4bUq",
"_version": 1,
"_score": null,
"_source": {
"api_call": "/transaction/loadMap",
"@version": "1",
},
"fields": {
"@timestamp": [
1505275219000
]
},
"sort": [
1505275219000
]
}
Good Document - (again, look at the api_call field. There is no leading /. This is what I want to keep unchanged.)
{
"_index": "px-ext-access-2017.09.13",
"_type": "px-ext-access",
"_id": "AV55ZRE7BTtqfj_T4bUq",
"_version": 1,
"_score": null,
"_source": {
"api_call": "transaction/loadMap",
"@version": "1",
},
"fields": {
"@timestamp": [
1505275219000
]
},
"sort": [
1505275219000
]
}
When I query my index for transaction/loadMap, I would like to see something like
{"key": "transaction/loadMap",
"doc_count": 2}
But his is what I am currently seeing -
{"key": "transaction/loadMap",
"doc_count": 1}
{ "key": "/transaction/loadMap",
"doc_count": 1}