Logstash document_id for 3 joined tables

Swati_Kanade · November 14, 2022, 6:58pm

Hi, I am new to ELK stack search. I have created an index by joining 3 tables - message, message_recipient and message_attachments - using inner join on message and message_recipient and left outer join on message_attachment since message may or may not have attachments. Now I want to get combined output of these joins in one index and also avoid duplicates.

elasticsearch {
  hosts => ..
  index => ..
  document_id => "%{message_id}%{recipient_id}%{attachment_id}"
}

With this document_id, only those messages will be ingested for which there is one or more attachments but there are recipients of messages for which there are no attachments, I want those records as well. How to ingest those records ?

Badger · November 14, 2022, 8:34pm

You could try using a fingerprint filter, that will create a hash of whichever fields exist, and you can use that as the document id.

Swati_Kanade · November 15, 2022, 11:58am

Thank you for your suggestion, I will check fingerprint filter.

system · December 13, 2022, 11:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ES query to check the existence of a document_id? Logstash	10	982	June 26, 2020
Querying in Elasticsearch Elasticsearch	4	313	May 23, 2018
Multi nested documents in logstash aggregation Logstash	3	1015	January 9, 2018
Join multiple Independent Indices Elasticsearch	8	3650	July 5, 2017
Multi Document Search in the Same Index Elasticsearch	3	388	September 28, 2020

Logstash document_id for 3 joined tables

Related topics