VK345
February 11, 2022, 5:20pm
1
My config is:
======================================
input {
file{
path => "/home/elk/domains/rf_domains_test"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => { "message" => "%{HOSTNAME:Domain}%{SPACE}%{USERNAME:Registrator}%{SPACE}%{DATE_EU:Created}%{SPACE}%{DATE_EU:Paid-till}%{SPACE}%{DATE_EU:Free-date}" }
add_field => { "ID" => "Hello world" }
}
mutate {
remove_field => ["message", "@timestamp", "path", "host", "@version"]
}
date {
match => ["Created","DD.MM.YYYY"]
target => "Created"
}
date {
match => ["Paid-till","DD.MM.YYYY"]
target => "Paid-till"
}
date {
match => ["Free-date","DD.MM.YYYY"]
target => "Free-date"
}
}
output {
elasticsearch {
hosts => "localhost:9200"
index =>"domains_rf_test"
}
stdout {
codec => rubydebug
}
}
======================================
Now every document i add field - "ID" => "Hello world"
Me need:
"ID" => "1"
How do it?
Tomo_M
February 11, 2022, 5:57pm
2
You need to hold state in Logstash, but it is not explicitly supported.
Hi,
I'm trying to apply a state (with a field in ES) to subsequent log lines after seeing [message] =~ "foo" but have not had luck using class variables with the ruby filter (@@classVariable) as described in Keeping global variables in LS?! with logstash 6.0.1.
I find that the class variable does not hold the correct value when exploring the data on discover in Kibana. Specifically, I want the state to change when I see [message] =~ "bar" and then hold that value until [message] =~ "foo" is …
What is your purpose of using such incremental ids? Elasticsearch default _id is not enough?
VK345
February 11, 2022, 6:16pm
3
Hi, I'm trying to apply a state (with a field in ES) to subsequent log lines after seeing [message] =~ "foo" but have not had luck using class variables with the ruby filter (@@classVariable ) as described in Keeping global variables in LS?! with logstash 6.0.1. I find that the class variable does not hold the correct value when exploring the data on discover in Kibana. Specifically, I want the state to change when I see [message] =~ "bar" and then hold that value until [message] =~ "foo" is …
Thank you for you replay.
May be you khow different solve this task?
May be you know how not use standart -
i need
_id:1
Not has this data (1,2,3...) in input ?
VK345
February 11, 2022, 6:40pm
4
I need to get each document one by one, if incremental ids this is easy.
Tomo_M
February 11, 2022, 11:31pm
5
As it is difficult, you may need some alternatives. If you would fully explain the situation and the necessity, there could be some proposal.
VK345
February 12, 2022, 12:47pm
6
Ok
I has index, my index for example Contain 1000 docs
I took 1 docs, took need me field, use it for my #bash script, get output my bash script, and POST new data in this doc.
I need do it for my 1000 docs.
I tnink my me i can use it -
VK345
February 12, 2022, 12:48pm
7
Thank you, please answer for my question.
Tomo_M
February 12, 2022, 12:57pm
8
There is no need for incremental id.
If the size is only 1000, you can get the whole document with
{
"size": 10000
"query": {"match_all": {}}
}
If you need pagination, any sort should be ok. See NOTE in Search after .
Anyway, there are _id fields (something like {"_id" : "FaslK3QBySSL_rrj9zM5"}), where unique values are automatically assigned by Elasticsearch, to identify documents.
system
March 12, 2022, 12:58pm
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.