Logstash output script not working: Append array while upserting

My plan is to uploads logs with logstash and update a field if this is present already in ES.
There is the field "origin" with maybe this “origin” : [ “live” ] and on upload it should become “origin” : [ “live, “upload]. But I fail.

I saw some documentation like

and an old discussion

But I can not fix my issue.

I am using logstash 7.9.2. My config is working without the "script" part.

I am trying to append a field while/after uploading the document

    ....
    output {
	elasticsearch {
		hosts => "https://142.10.42.142:9200"
                ssl => true
                cacert => "/opt/some/elasticsearch-ca.pem"
		document_id => "%{doc_id}"
		index => "someName-c%{[customer][id]}-p%{[project][id]}-%{+YYYY-MM}"
		user => MasterOfNothing
		password => BestPasswortEver
        script => 'ctx._source.origin += "upload"'
        scripted_upsert => true
	}

But no field origin is created or appended

I also tried

    script => 'ctx._source.origin = "upload"'

or

    script => 'ctx._source.origin = ["upload"]'

to maybe just create that field, but also no effect.

What am I missing?

Is there not even one person with better knowledge about this output script things? I need a solution for this case.

Anyone in the forum an idea? Any admin might read this?

Bastian... try this

script => "ctx._source.viewedPhotos.add(123)"

Thanks @ToddDtown for your reply, but not sure what else to put where.
Didn't fix my issue.

In addition your idea might lead to multiple entries of the same value, I guess.

My solution now is to restructure and use a nested field with integers.

"origin": {
  "live": 1
  "upload": 1
},

so in the logstash config I just need this:

mutate {
    add_field => { "[origin][upload]" => 1 }
}
mutate {
    convert => ["[origin][upload]","integer"]
}

where the 2nd part is "just" to ensure having a integer instead of a string.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.