Logstash elasticsearch filter and array of string substitution

Silver137 · July 1, 2022, 9:46am

I'm using the logstash elasticsearch filter to make a terms query where i need to substitute an array on the selected query_template.

The query template is as follows:

{
  "size": 5,
  "query": {
    "bool": {"filter": [
      {"range": { "@timestamp": { "gte": "now-1w/d", "lte": "now/d"}}},
      {"terms": {
        "product": ["%{[product_list]}"]
      }}
    ]}
  }
}

Where product list is a variable with a list of string that must be expanded to acomplish the query dsl format.

Well the query dosen't work.

I have already try indicating the postion on the array and works perfectly:

"product": ["%{[product_list][0]}"]

and

"product": ["%{[product_list][1]}"]

works.

But i need to expand the array to pass the list of string to do the terms query.

Silver137 · July 1, 2022, 11:01am

One of the posible workarounds consist of usege of a previous mutate filter usage:

mutate { join => {"ip_list" => '","'} }

This separetes the strings of the array on the correct way for include in the json query.
But it's interesting find a cleaner solution.

system · July 29, 2022, 11:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Elasticsearch Lookup Logstash	9	363	June 27, 2022
Dealing with logstash conf file for json string array Logstash	5	541	August 13, 2018
Query_Template Format in Elastic Search filter plugin Logstash	1	514	August 1, 2018
How to query elasticsearch with array as parameter Logstash	1	178	August 31, 2023
Use of variables in a query in logstash Logstash	13	3378	June 22, 2020

Logstash elasticsearch filter and array of string substitution

Related Topics