Hi, is it possible to update value in TEAM (keyword field) with existing value in the form ("NETWORK TEAM","DBA TEAM") when, i update , it updates as whole text.("NETWORK TEAM,DBA TEAM") please, help
Welcome!
Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.
Or use markdown style like:
```
CODE
```
This is the icon to use if you are not using markdown format:
There's a live preview panel for exactly this reasons.
Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.
Could you provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.
A full reproduction script is something anyone can copy and paste in Kibana dev console, click on the run button to reproduce your use case. It will help readers to understand, reproduce and if needed fix your problem. It will also most likely help to get a faster answer.
Thanks for the reply sir,
my mappings code:
PUT first_project/_mapping
{
"properties":{
"ALERT_ID":{
"type":"text"
},
"COUNT":{
"type":"integer"
},
"CINAME":{
"type":"text"
},
"ENVIRONMENT":{
"type":"text"
},
"IP":{
"type":"ip"
},
"SEVERITY":{
"type":"text"
},
"SUMMARY":{
"type":"text"
},
"SOURCE":{
"type":"text"
},
"SOURCE_TIME":{
"type":"date"
},
"CREATED_TIME":{
"type":"date"
},
"LAST_MODIFIED_TIME":{
"type":"date"
},
"STATUS":{
"type":"text"
},
"MODIFIED_BY":{
"type":"text"
},
"TAGS":{
"type":"keyword"
},
"TEAM": {
"type": "keyword"
}
}
}```
i need to update my TEAM field (keyword type) with existing value("NETWORK TEAM") and adding one more value ("DBA TEAM"), output like ("NETWORK TEAM","DBA TEAM"). when i using update query
POST first_project/_update/RV8l4XYBkg9Xo5ZNaP0x/
{
"script": {
"source": "ctx._source.TEAM +=',DBA Team';",
"lang": "painless"
}
}```
it gives output like this ("NETWORK TEAM,DBA TEAM"), please tell suggestions to get separate value like ("NETWORK TEAM","DBA TEAM") adding separate value
I understand ("NETWORK TEAM","DBA TEAM") this update not possible, gives syntax error, i follow this update method ("NETWORK TEAM,DBA TEAM") in keyword field, remaining extraction, i will do in my code. Thanks Elastic Team for the reply.
Having separate values won't change a lot the way it's indexed as everything will be flattened at the end.
So indexing:
{
"TEAM": "foo bar"
}
is quite similar to:
{
"TEAM": [ "foo", "bar" ]
}
Note the array here.
If you want to do this, you need to create an array, instead of doing string manipulations.
DELETE first_project
PUT first_project
{
"mappings": {
"properties": {
"TEAM": {
"type": "keyword"
}
}
}
}
PUT first_project/_doc/1
{
"TEAM": "foo"
}
POST first_project/_update/1/
{
"script": {
"source": """def result = new ArrayList();
result.add(ctx._source.TEAM);
result.add("bar");
ctx._source.TEAM =result;""",
"lang": "painless"
}
}
GET first_project/_doc/1
It gives:
{
"_index" : "first_project",
"_type" : "_doc",
"_id" : "1",
"_version" : 2,
"_seq_no" : 1,
"_primary_term" : 1,
"found" : true,
"_source" : {
"TEAM" : [
"foo",
"bar"
]
}
}
Very Thanks sir, I understood this concept.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.