Hello,
I have this logs:
{"process": "123", "status:red", "@timestamp":"2020-12-31T16:14:13.886+0000" }
{"process": "122", "status:red", "@timestamp":"2020-12-31T16:14:14.886+0000" }
{"process": "123", "status:green", "@timestamp":"2020-12-31T16:15:13.886+0000" }
(this is storaged in one index filebeat-)
and I want to make a new index (status-) with last one, like this:
{"process": "122", "status:red", "timestamp":"2020-12-31T16:14:14.886+0000" }
{"process": "123", "status:green", "timestamp":"2020-12-31T16:15:13.886+0000" }
but now I can't update the log in elastic
I have this pipeline
input {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => ["filebeat-*"] # ORIGINAL INDEX
docinfo => true
schedule => "*/1 * * * *"
size => 500
query => (take all logs not processed)
}
}
filter {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => ["status-*"] #STATUS INDEX
query => "process:%{[process]}"´
fields => {
"status"=>"old_status"
"timestamp"=>"old_timestamp"
}
}
if (!([old_status])) {
clone {
clones => ["status_metadata"]
}
if [type] == "status_metadata" {
prune {
whitelist_names => ["status", "timestamp"]
}
}
}
if ( [timestamp] > [old_timestamp]) {
aggregate {
task_id => "%{[@message][processInstId]}"
code => 'map["@message"] = event.get("[@message]")'
}
}
}
output {
stdout {
codec => rubydebug
}
if ([@metadata][type] == "status_metadata") {
elasticsearch {
hosts => [ "elasticsearch:9200" ]
manage_template => false
index => "status-%{+YYYY.MM.dd}"
action => "update"
doc_as_upsert => true
document_type => "%{[@metadata][_type]}"
document_id => "%{[@message][processInstId]}"
}
}
else {
elasticsearch {
hosts => [ "elasticsearch:9200" ]
index => "%{[@metadata][_index]}"
document_type => "%{[@metadata][_type]}"
document_id => "%{[@metadata][_id]}"
}
}
}
My problem it's the document never is updated in elasticsearch... Can You help? pls