How to query elasticsearch and take some fields from old data

Vittorio · February 16, 2017, 8:51am

Hi all,

I'm new here, hope to get some help

I'm working using the logstash pipeline, for instance, I have rabbitmq as input for my logs and Elastisearch as output. Fantastic!

The problem is in the elasticsearch filter I'm using: with an if statement, if I receive a specific log class I have to look inside elasticsearch for previous logs that have the same "id" as the one that just arrived. If I found the result, I need to attach all the information from the query result into the new log, like an extension of this log with more information.

The problem is I'm not understanding the good way to query elasticsearch using "query_template" and another problem is how to make this more dynamic in term of: how do I specify my key value dynamically ?

here is my query template

  {
 	"query": {
 	"bool": {
 		"must":[{
 			"match":{
 				"id": "871df49c-acad-11e6-80f5-76304dec7eb7" --- this is the value that always changes, so i can't put static value
 			}
 		}
 	]
 	}
 },
 "_source": ["@id", "started"] -- and here i want to add the information from the previous log i found into a new fileld "started" for example, in the new log. But in my case I would love to add all the fields at once.

Hope I clearly explained my issue and hope to get some help!

Thank you

Vittorio · February 16, 2017, 12:05pm

sorry for the second message, but I think the problem is elasticsearch filter is not querying correctly.

I'm not using query_template anymore and I'm using simple query

if [class] == "DPAPIINTERNAL" {
    elasticsearch {
      hosts => "10.1.10.16"
      index => "dp_audit-2017.02.16"
      query => "class:DPAPI AND request.aw:%{[aw]}"
      fields => { "request.app_instance" => "svc" }
    }

with this I want: query elasticsearch at that host using the specified index and i want to search for "class": "DPAPI" (in that index) and "request" :{"aw": "same value of the DPAPIINTERNAL"} then if the query is ok, add "app_instance" which is in the query result, in my DPAPI class log.

the result is

[2017-02-16T12:56:24,808][INFO ][logstash.filters.elasticsearch] Querying elasticsearch for lookup {:params=>{:index=>"dp_audit-2017.02.16", :q=>"class:DPAPI AND request.aw:W3BQBF", :size=>1, :sort=>"@timestamp:desc"}}
[2017-02-16T12:56:24,818][INFO ][logstash.filters.elasticsearch] Querying elasticsearch for lookup {:params=>{:index=>"dp_audit-2017.02.16", :q=>"class:DPAPI AND request.aw:5NO9I3", :size=>1, :sort=>"@timestamp:desc"}}
[2017-02-16T12:56:24,826][INFO ][logstash.filters.elasticsearch] Querying elasticsearch for lookup {:params=>{:index=>"dp_audit-2017.02.16", :q=>"class:DPAPI AND request.aw:GEWD8T", :size=>1, :sort=>"@timestamp:desc"}}

that seems to be good but i don't have any new fields...

Help please!

Thank you

Vittorio · February 17, 2017, 8:08am

Hi all,

This is for let the elastic community know that, the elasticsearch filter for logstash has an error in the documentation.

For instance, using the query template :

 if [type] == "end" {
         elasticsearch {
            hosts => ["es-server"]
            query_template => "template.json"
         }

whitout specifiyng the fields will result in no result.

template.json:

 {
    "query": {
      "query_string": {
       "query": "type:start AND operation:%{[opid]}"
      }
    },
   "_source": ["@timestamp", "started"]
 }

the key "_source" specify all the fields you want to take from the "old" event but is not correct to specify the "new" field in the "new" log, instead, that must be specified using a parameter for the filter that is "fields"

In my case, I did successfully like the example below:

this is the query.template:

{
    "query": {
      "query_string": {
       "query": "class:DPAPI AND request.aw:%{[aw]}"
      }
    },
   "_source": ["request"]

 }

so I'm telling I want request from the result of the query. Now let's add it in our new log "ew_key"

filter{
  if [class] == "DPAPIINTERNAL" {
    elasticsearch {
      hosts => "10.1.10.16"
      index => "dp_audit-2017.02.16"
      query_template => "/home/vittorio/Documents/elastic-queries/matching-requestaw.json"
      fields => { "request" => "new_key" }
    }

  }

}

Hope this will help somebody!

Thanks,
Vittorio

system · March 17, 2017, 8:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cant access fields from log using query template for Elasticsearch filter in Logstash Logstash	1	301	February 5, 2020
Logstash: problem for querying elasticsearch Logstash	16	1950	July 6, 2017
Elastic Search Logstash how to query all fields and get all fields into pipeline? Logstash	1	267	May 5, 2022
Managing queries in Elasticsearch Logstash filter plugin Elasticsearch	5	6370	August 24, 2018
How to query the index and only get specific indecies Logstash	3	448	March 27, 2017

How to query elasticsearch and take some fields from old data

Related topics