How to have all values and not replace them when update a document

I have logs that contains data from an email, but is separated in different log lines, so I have to update the document in Elasticsearch in order to have all the data I need. It works, but if a new value appears, replaces it. Is possible to have both? old and new, as an array?

This is the log lines I have (this is from one email, so it will go to one document):

{"type":"syslog","smtp_port":"52908","@timestamp":"2019-06-02T01:16:54.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"ecelerity","product":"smgsyslog","numeroproceso":"1559438209","mta_address":"51.77.33.45","client":"client","PID":"11820","@version":"1"}
{"type":"syslog","smtp_port":"41025","@timestamp":"2019-06-02T01:16:55.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"ecelerity","dst_mta_address":"10.208.204.119","recipients":["user@domain.com"],"product":"smgsyslog","numeroproceso":"1559438215","client":"client","PID":"11820","@version":"1"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:55.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"ecelerity","recipients":"user@domain.com","product":"smgsyslog","numeroproceso":"1559438215","action_fields":["subject","clicker","annotate","quarantine"],"client":"client","PID":"11820","@version":"1"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:55.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"bmserver","product":"smgsyslog","msgid":" <mzkzmtk2ngac4105695y471bamtu1otqzodq0odq0otaw@ecotiendanatural.grupocorreomasivo.com>","numeroproceso":"1559438214","client":"client","PID":"5179","@version":"1"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:54.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"ecelerity","recipients":["user@domain.com"],"product":"smgsyslog","numeroproceso":"1559438214","client":"client","PID":"11820","@version":"1"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:54.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"ecelerity","product":"smgsyslog","numeroproceso":"1559438211","sender":"noresponder@ecotiendanatural.grupocorreomasivo.com","client":"client","PID":"11820","@version":"1"}
{"type":"syslog","source":"external","@timestamp":"2019-06-02T01:16:55.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"bmserver","product":"smgsyslog","numeroproceso":"1559438214","client":"client","PID":"5179","@version":"1"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:55.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"bmserver","subject":"¡ hasta 40% off ! todo belleza, cuidado y cosmética natural ahora !!!","product":"smgsyslog","numeroproceso":"1559438214","client":"client","PID":"5179","@version":"1"}
{"type":"syslog","veredicto":"connection_class_1","@timestamp":"2019-06-02T01:16:50.000Z","policy_grp":"default","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"bmserver","filtering_policy":"static connection class 1","recipients":"<none>","product":"smgsyslog","numeroproceso":"1559438210","client":"client","PID":"5179","@version":"1"}
{"type":"syslog","veredicto":"bulk","@timestamp":"2019-06-02T01:16:55.000Z","policy_grp":"default","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"bmserver","filtering_policy":"marketing mail: modify subject line with \"[marketing mail]\"","recipients":"user@domain.com","product":"smgsyslog","numeroproceso":"1559438215","client":"client","PID":"5179","@version":"1"}
{"PID":"5179","@version":"1","@timestamp":"2019-06-02T01:16:55.000Z","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"bmserver","product":"smgsyslog","veredicto":"content_1541515424968","policy_grp":"default","nombre":"mailserver","match_seccion_especifica":"recipient","match_seccion":"envelope","recipients":"user@domain.com","numeroproceso":"1559438215","match_string":"domain.com","client":"client","filtering_policy":"legal disclaimer inbound","type":"syslog"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:54.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"ecelerity","sign_domain":"grupocorreomasivo.com","selector":"acymailing","dkim_result":"pass","product":"smgsyslog","numeroproceso":"1559438214","client":"client","PID":"11820","@version":"1"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:55.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"bmserver","msg_size":35616,"product":"smgsyslog","numeroproceso":"1559438214","client":"client","PID":"5179","@version":"1"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:55.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"bmserver","product":"smgsyslog","numeroproceso":"1559438214","ehlo":"vps617915.ovh.net","client":"client","PID":"5179","@version":"1"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:55.000Z","logical_ip":"51.77.33.45","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"bmserver","product":"smgsyslog","numeroproceso":"1559438215","client":"client","PID":"5179","@version":"1"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:55.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"bmserver","recipients":["user@domain.com"],"product":"smgsyslog","numeroproceso":"1559438215","fired":["bulk","content_1541515424968"],"client":"client","PID":"5179","@version":"1"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:55.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"bmserver","recipients":["user@domain.com"],"product":"smgsyslog","numeroproceso":"1559438215","client":"client","PID":"5179","@version":"1"}
{"type":"syslog","@timestamp":"2019-06-02T01:16:55.000Z","nombre":"mailserver","audit_id":"0ad0cc76-fc1ff70000002e2c-ad-5cf3238174f5","proceso":"ecelerity","recipients":["user@domain.com"],"product":"smgsyslog","numeroproceso":"1559438215","client":"client","PID":"11820","@version":"1"}

in Logstash output I have:

elasticsearch { index => "%{client}-mail-%{+YYYY.MM.dd}" hosts => ["http://elastic:9200"] action => "update" doc_as_upsert => true document_id => "%{audit_id}" retry_on_conflict => "10" }

Result:
I get:

  • "filtering_policy": "legal disclaimer inbound",

I would like to get:

  • "filtering_policy": ["legal disclaimer inbound", "filtering_policy":"marketing mail: modify subject line with "[marketing mail]", "filtering_policy":"static connection class 1"]

Or something like that..
Is it possible?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.