gringo
January 23, 2017, 9:37am
1
How do I do something like a JOIN in elasticsearch. I have 2 index
"_index": "blacklist1", "_type": "logs", "_id": "KS8CI-XKSID8DKSLAKS"
"_index": "raw_firewall_logs", "_type": "logs", "_id": "SADLFSJFOI3098WOIJFD",
Assuming in "raw_firewall_logs" I have a field "source_ip" that contains "123.123.123.1"
Assuming in "blacklist1" I have a field "block_ip" that contains "123.123.123.1" and a field "threat_type" containing "worm"
How should I update my mapping and how should I query so that I can see the following
{"source_ip": "123.123.123.1", "blacklist1": "Yes", "blacklist1": "worm"}
warkolm
January 24, 2017, 7:52am
2
You need to do this at index time, you cannot join like this.
gringo
February 8, 2017, 2:03am
3
Can I know what is index time?
warkolm
February 8, 2017, 9:07pm
4
When you send the data to ES to be stored.
gringo
February 9, 2017, 12:54am
5
Do you have any examples on one index joining with other indexes at index time?
I would recommend reading the section on data modelling from the Definitive Guide . For many use cases the best way is to simply denormalise the data prior to indexing it into Elasticsearch.
system
March 9, 2017, 7:22am
7
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.