Issue with ".keyword" in ruby filter

I am using ruby to perform elastic search in logstash config.

The below code works fine , but its returns more than one document because of text based search.

response = index: 'perf_report_by_audit_and_jmeter', body: { query: { match: { 'correlation_id': event.get('correlation_id') } } }
event.set('existing_id', response ['hits']['hits'][0]['_source']['correlation_id'])

while runing elastic query using kibana, I replaced correlation_id with correlation_id.keyword which solved the problem.

But if I use .keyword in ruby filter, error is thrown.
response = index: 'perf_report_by_audit_and_jmeter', body: { query: { match: { 'correlation_id.keyword': event.get('correlation_id') } } }

eval at org/jruby/
register at /bpms/ELK/logstash-5.6.3/vendor/bundle/jruby/1.9/gems/logstash-filter-ruby-3.0.4/lib/logstash/filters/ruby.rb:38
register at /bpms/ELK/logstash-5.6.3/vendor/jruby/lib/ruby/1.9/forwardable.rb:201
register_plugin at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/pipeline.rb:290
register_plugins at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/pipeline.rb:301
each at org/jruby/
register_plugins at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/pipeline.rb:301
start_workers at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/pipeline.rb:311
run at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/pipeline.rb:235
start_pipeline at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/agent.rb:398

Please assist

Found that .keyword is not supported by ruby elastic search gem.
Have found a workaround my forming custome index fields using MD5 hash and simple concatenation to overcome, text based search.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.