Define Parent-Child Relationship in Logstash

Elastic Stack Logstash
1

Hi,

According to https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/129, this seems possible to do now.

I'm trying to index two different sources (2 sql tables), and then correlate a parent-child relationship between them. Currently, ingesting data is perfectly fine. However, I'm really confused how to create the parent-child relationship within logstash... I actually can't even figure out how to do it using POST requests in elastic's examples found here: https://www.elastic.co/guide/en/elasticsearch/guide/current/parent-child-mapping.html or https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-parent-field.html.. the 2nd link gives me a bad request 400 when attempting the 3rd put in SENSE.

My current config file looks like this (I am not doing anything in filter, and ingesting works just fine):

output {
    #So I know it is running
    stdout {
      codec => json_lines
    }

	if [type] == "alarms"{
		elasticsearch{
			index => "alarms"
			document_type => "alarm"
			#the below doesn't work: getting a "reason: can't specify parent if no parent field has been
                        #configured"  I need this to be dynamic based on the value of the document's source_id field
			parent => "%{source_id}"
		}
	}
	if [type] == "source"{
		elasticsearch{
			index => "source"
			document_type => "source"
			#overwrites the auto-generated unique value for _id with the unique value from source_id
			document_id => "%{source_id}"
		}
	}
}
2

So I figured out what I needed to do. Basically, in order for parent-child to work, you have to define the mapping in elasticsearch beforehand. Not quite too sure on how to do this in logstash automatically, but as of now I am creating the mapping type by using a POST command within sense based off of their tutorials before ingesting data via logstash. Also not sure why the tutorials weren't working for me... but that's a question for another time. The one thing I did change was the PUT from the following into a POST found in a different tutorial.https://www.elastic.co/guide/en/elasticsearch/guide/current/parent-child-mapping.html:

PUT /company/employee/1?parent=london
{
"name": "Alice Smith",
"dob": "1970-10-24",
"hobby": "hiking"
}

3

Would you mind sharing what kind of mapping you did?