I am trying to add existing data from Elasticsearch index to a current event of logstash using Elasticsearch filter
current logstash event is
id,status,date
123456789,ByMobile,Success
Existing Data like
id,status,date
123456789,created,10-11-2020 14:12:33
123456789,pending,10-11-2020 14:12:34
123456789,completed,10-11-2020 14:12:35
now i want above to add above 3 records info to the present event by matching with current event feild id = existing data field id
i tried
lasticsearch {
hosts => ["http://localhost:9200"]
index => "elasticsearchdataindex11"
query => "id : %{[id]}"
fields => {
"id" => "ID"
"status" => "STATUS"
"date" => "DATE"
}
}
is it correct?
also i tried querytemplte
{
"query": {
"query_string": {
"query": "VIN": %{[VIN]}
}
}
,
"_source": ["id","status","date"]
}
but iam getting an error like
Failed to query Elasticsearch for previous event {:index=>"elasticsearchdataindex11", :error=>"Unexpected character (':' (code 58)): was expecting comma to separate Object entries\n at [Source: (byte)"{\r\n "query": {\r\n "query_string": {\r\n "query": "id": 123456789\r\n }\r\n }\r\n ,\r\n "_source": ["id","status","date"]\r\n}"; line: 4, column: 22]"}
can anyone help on this, Thanks