How to "recreate" events from an index by just changing time?

kelk · November 9, 2020, 1:08pm

hi
We have some "enriched" events in an index from last month for a customer product checkout. The enrichment has happened in "elastic beats" && "logstash" and not entirely in my control. So I cannot simulate the _raw events again.

The only option left is to re-index a "set of events" in order, but just change the "timestamp" of the sequence on the fly. Is there a tool/idea to

Get specific data from index
reindex these events to another test-index but with "similar timestamp" for today

Eg of what I'm looking for is

Using https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html (re-index api)
But ability to transform/change the logs with certain logic (or pass it back to logstash)

warkolm · November 9, 2020, 10:06pm

You could use reindex with an ingest pipeline (scroll down a little bit with this link, it's under the routing t4ext) to do the processing, or use a painless script.

system · December 7, 2020, 10:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Maintaining "time delta" between events when reindexing Elasticsearch	3	130	February 13, 2024
Pull data periodically from an Elasticsearch index Logstash	1	298	August 18, 2020
Re-Indexing Via ES Document Numbers Logstash	1	310	July 6, 2017
Timestamp format change Elasticsearch	2	488	December 12, 2017
Recompute event.hash for documents in cold indices Elasticsearch painless , runtime-fields	1	325	January 11, 2023

How to "recreate" events from an index by just changing time?

Related topics