Issue with ".keyword" in ruby filter

(Rajkumar Selvakumar) #1

I am using ruby to perform elastic search in logstash config.

The below code works fine , but its returns more than one document because of text based search.

response = index: 'perf_report_by_audit_and_jmeter', body: { query: { match: { 'correlation_id': event.get('correlation_id') } } }
event.set('existing_id', response ['hits']['hits'][0]['_source']['correlation_id'])

while runing elastic query using kibana, I replaced correlation_id with correlation_id.keyword which solved the problem.

But if I use .keyword in ruby filter, error is thrown.
response = index: 'perf_report_by_audit_and_jmeter', body: { query: { match: { 'correlation_id.keyword': event.get('correlation_id') } } }

eval at org/jruby/
register at /bpms/ELK/logstash-5.6.3/vendor/bundle/jruby/1.9/gems/logstash-filter-ruby-3.0.4/lib/logstash/filters/ruby.rb:38
register at /bpms/ELK/logstash-5.6.3/vendor/jruby/lib/ruby/1.9/forwardable.rb:201
register_plugin at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/pipeline.rb:290
register_plugins at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/pipeline.rb:301
each at org/jruby/
register_plugins at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/pipeline.rb:301
start_workers at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/pipeline.rb:311
run at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/pipeline.rb:235
start_pipeline at /bpms/ELK/logstash-5.6.3/logstash-core/lib/logstash/agent.rb:398

Please assist

(Rajkumar Selvakumar) #2

Found that .keyword is not supported by ruby elastic search gem.
Have found a workaround my forming custome index fields using MD5 hash and simple concatenation to overcome, text based search.

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.