How to parse elasticsearch filter aggregated_field value (hash type)? _

Elastic Stack Logstash
1

We have the ff scenario:
Goal : Perform join in two es index at indexing level
Solution:

input {
        exec {
                        codec => json
                        interval => 60
                        command => "bash /query_index_1.sh"             //bash script contains elasticsearch query
        }
}
filter {
        split { field => "[aggregations][agg1][buckets]" }
        split { field => "[aggregations][agg1][buckets][agg2][buckets]" }
        split { field => "[aggregations][agg1][buckets][agg2][buckets][agg3][buckets]" }

        mutate {
                        add_field => {
                                        "FIELD_1" => "%{[aggregations][agg1][buckets][key]}"
                                        "FIELD_2" => "%{[aggregations][agg1][buckets][agg2][buckets][key]}"
                                        "FIELD_3" => "%{[aggregations][agg1][buckets][agg2][buckets][agg2][buckets][key]}"
                        }
        }
	elasticsearch {
			hosts => ["host:9200"]
			query_template => "/query_index_2.json"
			aggregation_fields => {
				"my_aggs" => "location"
			}
		}

}
output {
	stdout {codec => rubydebug}
}

wherein the field "location" contains a hash value of

location => 
    {
                "doc_count_error_upper_bound" => 0,
                "sum_other_doc_count" => 473350,
                "buckets" =>  [
                  {
                    "key" => "value1",
                    "doc_count" => 4983
                  }
               ]
    }

How can i get the "value1"?

2

Anyone? :frowning:

3

It is unclear what you are trying to do, but if you have a field with that structure called location and you want to do an add_field similar to the ones in your configuration it would be

mutate { add_field => { "key" => "%{[location][buckets][0][key]}" } }
1 Like
4

Hi, thank you for your response!

Unfortunately we cant include the index array since it is dynamic.
I think i figured it out already, i just need to use the split filter :slight_smile:

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.