How to check the result of a query to elasticsearch into the filter plugin

Hi all, I've a problem when trying to check if a query, done inside the elasticsearch filter plugin, returns me a document. How can i check this situation? Currently I'm using the fields attribute to map old event inside a new one but when I check the value it always fails. Any suggestion?
Logstash version 6.3, Elasticsearch filter plugin version 3.3.0.
The code I use is the following:
`

filter{
elasticsearch {
		hosts => ["es-server"] 
		index =>  "index"
		type => "type"
		query => "template.json"
		fields => { "username" => "doc_result" } 
	}
}
output{
    if[doc_result]{...}
}

`
In this case when the query match a document I assign the value username of the document returned into the doc_result variable, but for an unknown reason the if in the output will always fail. Anyone knows how to solve this problem? I'm going crazy over this thing. Thanks to all.

• Use a stdout { codec => rubydebug } to dump the raw event.
• Increase the loglevel to debug and check the Logstash log. The plugin will log details about the query it makes. Do you get any results if you replicate the same query with e.g. curl?

First of all thanks for the answer.
The query not always returns a match, in fact the initial purpose was to check if the variable result exists (the query matches) and perform two different queries. I.E
if[result] {..} else{...}
but the if-else does not operate as I think. It's correct to test if the query matches or not by adding fields in that way? Or maybe it's cleaner to add a tag?

It's correct to test if the query matches or not by adding fields in that way?

That should work, but as I said, dump the raw event so you know what happens in both cases.

Or maybe it's cleaner to add a tag?

That's a matter of taste.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.