I have a requirement to update the one document field based on the another document example _id : 5 doesn't has any field like "risk", but another _id : 4 has a field risk => high . _id=> 4 is the 1st event and followed by _id:5 is creating. So i have to get the _id=> 4 risk field and update to _id:5 (create a new field and update). Only relation between these two document is one common field example _id 4 and 5 has the field sessionName=> "auth12332232". based on the common field i have to map. note: numerical value in session name is dynamic .
I've found the solution with help of Aggregate filter. Based on the common field i have set the task id and create the field one on 1st event and Closed on matched next event(i.e end the aggregate task, in my case only two events possible, hence i have closed once its matched). Here no need to worry about that Doc id. Any other great solutions are invited if any. Thanks !
Note: Before using Aggregate filter, make sure this plugin should installed in the machine.
Doc Referred:
https://www.elastic.co/guide/en/logstash/5.3/plugins-filters-aggregate.html#plugins-filters-aggregate
Refer for other USECASES:
https://www.elastic.co/guide/en/logstash/5.3/plugins-filters-aggregate.html#_use_cases
If you are trying to combine two events based on a field that they have in common then an aggregate filter is the way to go.
Thanks for the suggestion !!!. 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.