Increment counter if document already exists

yodog · July 4, 2018, 7:01pm

lets say i have an index iptables-%{+YYYY.MM}, which holds iptables kernel generated logs.

i would like to:

1- create the doc if the log line doesn't exists
or
2- increment a field called counter if it already exists

every doc would be saved for the first time with a counter, incrementing on every insert of the same key.

input {
    beats {
        add_field => { "counter" => 1 }
        port      => "5044"
    }
}

the document_id would be based on some fields from message;
this would allow me to always have only one of each message type.

filter {
    fingerprint {
        add_tag             => [ "alreadyseen" ]
        concatenate_sources => true
        key                 => "alreadyseen"
        source              => [ "SRC", "SPT", "DST", "DPT" ]
        target              => "[@metadata][fingerprint]"
    }
}

output {
    elasticsearch {
        action              => "update"
        doc_as_upsert       => true
        document_id         => "%{[@metadata][fingerprint]}"
        index               => "iptables-%{+YYYY.MM}"
        sniffing            => true
        template_overwrite  => true
    }
}

but i have no idea on how to increment my counter.
any help?

yodog · July 5, 2018, 7:05pm

so, after reading https://www.elastic.co/guide/en/elasticsearch/reference/6.2/docs-update.html#_scripted_updates i tried the following

elasticsearch {
    action              => "update"
    doc_as_upsert       => true
    document_id         => "%{[@metadata][fingerprint]}"
    manage_template     => false
    script              => "ctx._source.counter++"
}

but the counter field always concatenate the number 1 instead of adding

on 1st execution counter: 1
on 2nd execution counter: 11
on 3rd execution counter: 111

and so on

i tried all lines below

script => "ctx._source.counter++"
script => "ctx._source.counter += 1"
script => "ctx._source.counter = ctx._source.counter + 1"
script => "ctx._source.counter = ctx._source.counter++"

Badger · July 5, 2018, 8:08pm

add_field => { "counter" => 1 }

Unless you have an index template counter will be a string in elasticsearch. You could mutate it to be an integer (and create a new index, since the old index already has a mapping).

mutate { convert => { "counter" => "integer" } }

However, you will then hit another problem: a null pointer exception when you do the initial insert

script              => "if (ctx._source.counter != null) {ctx._source.counter++}"

yodog · July 9, 2018, 2:38pm

the strange thing is that i actually do have a index template mapping

"properties": {
  "@timestamp": {
    "type": "date"
  },
  "counter": {
    "type": "long"
  },

and kibana mapped it as number, so it seems right

anyway, got it to work with

script => "if (ctx._source['counter'] == null) { ctx._source['counter'] = 1 } else { ctx._source.counter++ }"

and removing add_field from the input

yodog · July 11, 2018, 2:34pm

also,

system · August 8, 2018, 2:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Increment similar event count if occurs inside time window Elasticsearch	1	502	January 17, 2018
How do I increment my count field of my document from logstash? Elasticsearch	1	1614	July 5, 2017
Upsert / Update if exist, create if not Logstash	3	9857	September 7, 2019
Logstash create doc if not exist else append array Logstash	3	3643	November 30, 2018
Increment field value when event occur in logstash output Logstash	1	559	November 12, 2020

Increment counter if document already exists

Related topics