Is it possible to increment a field value everytime an event occur?
Inputs are received from a filebeat and i want to store the values in elasticsearch
I have following in my logstash pipeline:
> filter
> {
> if ([message] =~ ".*AuditLog.*\sLogin\ssucceeded.*"){
> mutate { add_tag => "login" }
> mutate { add_field => {"login_counter" => 0} }
> mutate { convert => ["login_counter","integer"] }
> }
> }
>
> output{
> if "login" in [tags]
> {
> elasticsearch {
> hosts => ["http://localhost:9200"]
> #document_id => "%{[@metadata][_id]}"
> doc_as_upsert => true
> action => "update"
> index => "myindex"
> script => "ctx._source.login_counter++"
> }
> }
> }
Is it possible to get the value from the login_counter field from the last document (latest @timestamp), increment it by 1 and store this value in the current document?
I also tried it with the http output plugin but i don't know how to insert and increment the value in one step.
It is NOT an option for me to do this in the logstash filter, because when events occur in the same second the previous login_counter value is not yet stored in the database and 2 events get the same value. So the login_counter incremented only by 1 instead of 2.
Can anybody help me?
Thanks
anja