Logstash nested data update is not working as expected

Hi

I'm having a nested field as below

"appdata": {
"type":"nested",
"include_in_parent":true,
"properties": {
"accessType": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"appname": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"eventtime": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}

I'm updating the same using logstash in output plugin as below

elasticsearch
{
hosts => ["localhost:9200"]
document_id => "%{sid}"
index => "dashboard_write"
timeout => 30
script => "if (ctx._source.appdata == null) { ctx._source.appdata = params.event.get('appdata') } else { ctx._source.appdata = ctx._source.appdata + params.event.get('appdata') }"
doc_as_upsert => true
action => "update"
}

First time appdata will be null and it should assign that value. For second event, it should append the data to existing appdata
But I saw ctx._source.appdata is empty even though data is there

Am I doing anything wrong here

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.