I have a few different indicies that have logs in them that were digested using Logstash.
The filter in my config looks like this:
filter {
csv {
autodetect_column_names => false
columns => ["uid", "ip"]
separator => ":"
target => "_tmp"
}
mutate {
add_field => {
"[data][uid]" => "%{[_tmp][uid]}"
"[data][ip]" => "%{[_tmp][ip]}"
}
}
mutate {
remove_field => ["_tmp"]
}
prune {
whitelist_names => [ "data" ]
}
}
Because the config didnt have any checks to see if one of the columns is empty, it would instead digest the literal string "%{[_tmp][uid]}".
I would like to update all fields in all indices where data.uid == %{[_tmp][uid]}". Im not entirely sure how to do this.