Logstash update nested data

Hi

I'm having a nested field as below

"appdata": {
"type":"nested",
"include_in_parent":true,
"properties": {
"accessType": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"appname": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"eventtime": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}

I'm updating the same using logstash in output plugin as below

elasticsearch
{
hosts => ["localhost:9200"]
document_id => "%{sid}"
index => "dashboard_write"
timeout => 30
script => "if (ctx._source.appdata == null) { ctx._source.appdata = params.event.get('appdata') } else { ctx._source.appdata = ctx._source.appdata + params.event.get('appdata') }"
doc_as_upsert => true
action => "update"
}

First time appdata will be null and it should assign that value. For second event, it should append the data to existing appdata
But I saw ctx._source.appdata is empty even though data is there

Am I doing anything wrong here

After removing timeout in above output plugin, I'm able to cross half way. Now its going to else and try to append the data and tells below error

Cannot apply [+] operation to types [java.util.LinkedHashMap] and [java.util.HashMap]

I even tried add instead of +, but that tells "Add method is not there in LinkedHashMap".

If I use

ctx._source.appdata.put('appdata',params.event.get('appdata')), its overwrites existing data instead of appending

Why nested object is being considered as LinkedHashMap??

Can some one please provide an update??

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.