Dear Elastic community,
I am trying to join data from 2 indices together and write it to a third one. However, despite a correct Logstash configuration (I think) I do not get the desired result. Maybe one of you can spot the mistake.
The Logstash configuration is the following:
input {
elasticsearch {
id => "<target_index_input>"
hosts => ["<hostname>"]
ssl => true
ca_file => "<path to file>"
index => "<source_index_1_name>"
### Delta load
query => '{"query": {"bool": {"filter": [{"wildcard": {"workflow.name": "*<some text I search for>"}},{"range": {"@timestamp": {"format": "strict_date_optional_time","gte": "now-20m", "lte": "now"}}}]}}}'
schedule => "/10 * * * * *"
user => "<some user>"
password => "<corresponding password>"
}
}
filter {
mutate {
add_field => {"secret" => "<secret to write into target index>"}
}
elasticsearch {
hosts => ["<hostname:port>"]
ssl => true
ca_file => "<path to file>"
index => "<source_index_2_name>"
query => 'workflow_execution_id:"%{[event][id]}" AND message: CCF communication*'
user => "<some user>"
password => "<corresponding password>"
fields => {
"message" => "[@metadata][message]"
}
}
}
output {
tcp {
id => "<target_index_output>"
host => "<correct host for output>"
port => <port number>
codec => "json_lines"
}
stdout {
codec => rubydebug { metadata => true }
}
}
I would like to get the message from source index 2 which has a field called "workflow_execution_id". This field matches "event.id" from source index 1. If the message from source index 2 starts with "CCF communication", then I would like to get the content into [@metadata][message].
I have tried this also with double quotes around the content of the message field, namely:
query => 'workflow_execution_id:"%{[event][id]}" AND message: "CCF communication"'
Also I have tried both variations with and without the "*" sign after the word "communication". On the console I cannot see the message in [@metadata][message]. The message field from source index 2 is a keyword field.
Does someone have an idea?