Currently i am using the below configuration to update the appdata value to other events 000C.
Condition like 000A or 000B document ID matched with 000C event Document ID
if[eventid]=="000A" or [eventid]=="000B"
{
elasticsearch
{
hosts => ["localhost:9200"]
document_id => "%{sid}"
index => "logstash"
timeout => 30
script => "ctx._source.appdata = params.event.get('appdata')"
doc_as_upsert => true
action => "update"
}
stdout { codec => rubydebug }
}
Question ?
This is partially working and not working for all entries. If i have 10 entries , its only updating 10 events of 000C and remaining 5 events are storing into elastic search without app data.
we are thinking, any issue with timeout. we verified 000A or 000B matched document ID is present in elastic and not updated to 000C events. How to resolve this difference.
User0 has,
"eventType" : "login",
"username" : "user0",
"countrycode" : "US"
User1 has,
"username" : "user1",
"countrycode" : "US",
"appdata" : {
"accessType" : "app",
"appname" : "Google",
"eventtime" : "Nov 18 16:54:34"
}