Logstash elasticsearch filter, query with nested field

Elastic Stack Logstash
1

Hello

I have issue running query with nested field.
Sample input data:
{"url_details":{"_id":"1c928bb630eaf248"},"usernameID":"test1"}

Filter config:

        if [url_details][_id] {
        elasticsearch {
           hosts => ["127.0.0.1"]
           index => "index*"
           query => "url_details._id:%{[url_details][_id]} AND _exists_:usernameID"
           result_size => 1
           fields => { "[usernameID]" => "[foobar]" }
        }
        if [usernameID] not in [foobar] {
            mutate {
                merge => { "[usernameID]" => "[foobar]" }
            }
        }

Results in this query:
GET /index%2A/_search?q=url_details._id%3A%25%7B%5Burl_details._id%5D%7D+AND+exists%3AusernameID&size=1&sort=%40timestamp%3Adesc HTTP/1.1

Changing input data to this:
{"url_details":"1c928bb630eaf248","usernameID":"test1"}

And filter to this:

    if [url_details] {
    elasticsearch {
       hosts => ["127.0.0.1"]
       index => "matomo*"
       query => "url_details._id:%{[url_details]} AND _exists_:usernameID"
       result_size => 1
       fields => { "[usernameID]" => "[foobar]" }
    }
    if [usernameID] not in [foobar] {
        mutate {
            merge => { "[usernameID]" => "[foobar]" }
        }
    }

Works as expected

2

You are asserting that the sprintf reference %{[url_details][_id]} gets converted to %{[url_details._id]} in the URL sent to ES? You might want to double check that.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.