_id like var in output email

cassiopee · May 11, 2021, 12:24pm

hi everyone,

I would use _id (metadata) like variable in my output mail.
I make my output on this way :

`output {
elasticsearch {
     hosts => [ "https://192.168.1.160:9200" ]
     ssl => true
     ssl_certificate_verification => false
     user => "admin"
     password => "admin"
     index => "apache"

}
stdout { codec => rubydebug }

if [tags] {
email {
to => "xxx"
address => "smtp.gmail.com"
port => 587
username => "xxx"
password => "xxx"
use_tls => true
body => "something happened: %{message} http://xxx/5601/app/discover#/doc/82de0080-acd9-11eb-a4b8-614232a13000/indexname?id=%{id}"
}
}
}`

but it wouldn't work because it can't considerate _id like variable.

someone have idea ?

leandrojmp · May 11, 2021, 1:37pm

The _id does not exist in your logstash document, it will be created by elasticsearch when it receives the document.

To do what you want you would need to set the document id in logstash using the document_id option, but how to do that will depend on your document, if you have any field or combination of fields that it is unique.

cassiopee · May 11, 2021, 1:54pm

yes I understood my mistake. I guess my last challenge it's syntaxic. I generated _id in logstash by this way :

    source => "message"
    target => "[@metadata][fingerprint]"
    method => "MURMUR3"
  } ```

``` output {
    elasticsearch {
         hosts => [ "https://192.168.1.160:9200" ]
         ssl => true
         ssl_certificate_verification => false
         user => "admin"
         password => "admin"
         index => "apache"
         document_id => "%{[@metadata][fingerprint]}"
         fields => { "document_id" => "refid" }
 }
  stdout { codec => rubydebug } } ```

but it's occure errore when I add this line:  ```  fields => { "document_id" => "refid" } ```

leandrojmp · May 11, 2021, 2:00pm

This fields => { "document_id" => "refid" } does not exists in logstash, what are you trying to do?

The document_id option in the elasticsearch output will tell elasticsearch to use this value as the value for the _id field.

If you want to add another field named refid with this same value, you need to add it before the output block, in the filter block.

mutate {
    add_field => { "refid" => "%{[@metadata][fingerprint]}" }
}

Since this will be the value of the _id of your document, you could use it in your e-mail output without the need to create another field.

body => "something happened: %{message} http://xxx/5601/app/discover#/doc/82de0080-acd9-11eb-a4b8-614232a13000/indexname?id=%{[@metadata][fingerprint]}"

cassiopee · May 11, 2021, 2:09pm

I was trying to to give name of _id for call him in variable like
document_id = refid
http://xxx/5601/app/discover#/doc/82de0080-acd9-11eb-a4b8-614232a13000/indexname?id=%refid

thank's it's finally work with your sentence

body => "something happened: %{message} http://xxx/5601/app/discover#/doc/82de0080-acd9-11eb-a4b8-614232a13000/indexname?id=%{[@metadata][fingerprint]}"

system · June 8, 2021, 2:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.