Dot in field name? Scripting issue

Hi everybody,

I'm reading various opinions / best practices re: field names. Apparently dots are fully supported but not recommended " * usage of point "." is discouraged but possible".
Is that correct? Most of the beats fields include a dot (i.e. destination.ip or agent.type).

I'm trying to run some reindexing to rename my fields to match the beats convention. For example, I want to reindex and rename dst_ip in destination.ip. However, I get a null_pointer_exception.

Code:

POST _reindex
{
"source": {
"index": "logstash-2018.04"
},
"dest": {
"index": "logstash-reindex-2018.04"
},
"script": {
"inline": "ctx._source.source.ip = ctx._source.remove('src_ip');"
}
}

Error:

{
"error": {
"root_cause": [
{
"type": "script_exception",
"reason": "runtime error",
"script_stack": [
"ctx._source.source.ip = ctx._source.remove('src_ip');",
" ^---- HERE"
],
"script": "ctx._source.source.ip = ctx._source.remove('src_ip');",
"lang": "painless"
}
],
"type": "script_exception",
"reason": "runtime error",
"script_stack": [
"ctx._source.source.ip = ctx._source.remove('src_ip');",
" ^---- HERE"
],
"script": "ctx._source.source.ip = ctx._source.remove('src_ip');",
"lang": "painless",
"caused_by": {
"type": "null_pointer_exception",
"reason": null
}
},
"status": 400
}

Any help is much appreciated.

Thanks.

Additional issue I found when using dots in field names.

THIS WORKS:

output {
elasticsearch {
index => "%{logstash_input}-%{+xxxx.ww}"
}
}
... and the index name is dynamically generated from the field content.

THIS DOESN'T
output {
elasticsearch {
index => "%{logstash.input}-%{+xxxx.ww}"
}
}
... here the generated index name is: %{logstash.input}-2019.29

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.