Hi all,
I'm attempting to use the Logstash elasticsearch input to perform an aggregating query against the auditbeat index, add some metadata to the results, then send them back to Elasticsearch using the elasticsearch Logstash output.
My issue is that, instead of sending the results of the aggr (plus an add_fields mutation) to the new index, I'm receiving the full events (plus an add_fields mutation).
As an example - I'd like to index:
username = bob
failed logins = 500
my_tag = failed logins
What I'm currently receiving in the new index is all 500 failed login attempts by bob, with the correct value for my_tag.
I thought that "size" : 0 would stop things from returning each results (this gives the desired result in the dev console), but apparently not.
{
"size": 0,
"aggs": {
"per_user": {
"terms": {
"field": "user.name",
"min_doc_count": 10
}
}
},
Has anybody experienced something similar before?
Thanks