How can I add Json-Data to historic index

Steven_Tschache · January 4, 2023, 11:41am

We currently are importing data using Logstash. One of the fields ("request") is a JSON stored as a string. We now require a section of this stored JSON as fields in the searchable index. I have updated Logstash filter using

filter {
    json {
        source => "request"
        target => "[@metadata][request_json]"
    }
    if [@metadata][request_json][merchant] {
        # in the Request, pull out the Merchant-ID
        mutate {
            add_field => {
                "merchant_id" => "%{[@metadata][request_json][merchant][id]}"
                "merchant_name" => "%{[@metadata][request_json][merchant][name]}"
            }
        }
    }
}

Which works great for new data.

How can I update the indices for the historic data? I'm using Elasticsearch, Logstash and Kibana 8.5.3

Christian_Dahlqvist · January 4, 2023, 12:57pm

You may be able to run an update by query with an ingest pipeline containing a JSON processor.

Steven_Tschache · January 5, 2023, 1:47pm

Thx for the advice. So, I'm looking at this, but struggling how to implement the "painless" script for this, since painless has limited support for JSON. I've started off OK with

[
  {
    "json": {
      "field": "request",
      "target_field": "request_json"
    }
  },
  "script": {
    "inline": "def now_what;",
    "lang": "painless"
  },
  {
    "remove": {
      "field": "request_json"
    }
  }
]

But the bit in the middle is where I'm struggling. Never did "painless" and not much help out there in Google.

Christian_Dahlqvist · January 5, 2023, 1:52pm

Why not use a number of set processors instead of painless?

Steven_Tschache · January 5, 2023, 2:39pm

Because YOU are magic! LOL, thank you so so much!

[
  {
    "json": {
      "field": "request",
      "target_field": "request_json"
    }
  },
  {
    "set": {
      "field": "merchant_name",
      "copy_from": "request_json.merchant.name",
      "ignore_empty_value": true
    }
  },
  {
    "set": {
      "field": "merchant_name",
      "copy_from": "request_json.data.application.merchant.name",
      "override": false,
      "ignore_empty_value": true
    }
  },
  {
    "set": {
      "field": "merchant_id",
      "copy_from": "request_json.merchant.id",
      "ignore_empty_value": true
    }
  },
  {
    "set": {
      "field": "merchant_id",
      "copy_from": "request_json.data.application.merchant.id",
      "override": false,
      "ignore_empty_value": true
    }
  },
  {
    "remove": {
      "field": "request_json"
    }
  }
]

system · February 2, 2023, 2:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.