Hi,
Is it is possible to mutate a field (add/update) on an event already in elastic using logstash?
I thought it would be possible to do that using the logstash-filter-elasticsearch but after reading the documentaion I see that's not possible.
Are there other alternatives or would it be advised not to do this?
Regard Benny
Yes, you need to get that document, edit it, then reindex into ES. There's not really any concept of edit-in-place.
What sort of data is it?
Hi Mark,
I have events in have certain statusses for example registered and in_transit.
The registered always comes in first. But when the in_transit event for some reason does not arrive I need to signal it in kibana. I understood it is not possible to create such visualisations so I wanted to update the registered event with a boolean flag to state that the in_transit event has arrived. This way I know which registered events are missing in_transit events.
I thought it would be possible to do that with the logstash elasticsearch filter but thats does not seem to be the case reading the documentation.
I also read that doing the edit in the output of logstash is tricky business and must be used with caution. This solution seems also not really the way to go. Or is this misunderstanding on my part?
It was also suggested by a kibana team member to create a custom visualisation.
What other possibilities are there?
Regards benny
Hi,
Any thoughts/suggestions on the above?
Regards benny
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.