I'm trying to update existing documents in elasticsearch, based on @metadata._id
Example
First published event
filebeat[26461]: DEBUG [processors] processing/processors.go:203 Publish event: {
"@timestamp": "2022-12-10T10:10:28.695Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.17.5",
"_id": "**791f529272c4e95fbba6273ace4c3e6db0b2944e**"
},
"app": "app1",
"test": {
"machine": {
"name": "1",
"description": "Test machine description2"
},
"prefix": "118fa800"
}
}
That document should be created in elasticsearch, beacuse doc with id : 791f529272c4e95fbba6273ace4c3e6db0b2944e, does not exists
After some time... filebeat crawls new file, with new test.machine.description
filebeat[26461]: DEBUG [processors] processing/processors.go:203 Publish event: {
"@timestamp": "2022-12-12T10:10:28.695Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.17.5",
"_id": "**791f529272c4e95fbba6273ace4c3e6db0b2944e**"
},
"app": "app1",
"test": {
"prefix": "118fa800",
"machine": {
"name": "1",
"description": "**New test machine description2**"
}
ID is the same like in previous event, so document should be updated (Thats what i'm trying to accomplish)
Unfortunately when i'm setting
- fingerprint:
fields: ["test.machine.name", "test.prefix"]
target_field: "@metadata._id" -- **That line is problematic**
method: "sha1"
doc never appear in kibana.. or i don't know where i can find it
This topic is similar to :