Field value should not be updated if document already exists

skairam · May 27, 2017, 8:49pm

HI,

I have fields CRTE_TMS, UPDATE_TMS. In my logstash configuration, i have the following mutate, which adds fields with current time stamps value and i have doc_as_upsert => true. This script is updating the existing documents as expected. However, only problem is, CRTE_TMS is always coming as current timestamp. How can i not update the CRTE_TMS if the document is already existing? any inputs on this will be appreciated. thanks

mutate {
	add_field => {
		"UPDATE_TMS" => "%{[@timestamp]}"
     "CRTE_TMS" => "%{[@timestamp]}"

	}
}

output {
elasticsearch{
hosts => ["localhost:9200"]
index => "index1"
document_type => "type1"
document_id => "%{LOG_ID}"
doc_as_upsert => true
}

skairam · May 30, 2017, 5:59pm

Hi, i tried upsert, script and scripted_upsert. nothing works. can anybody throw some inputs on this. appreciate it

system · June 27, 2017, 5:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.