Logstash update only 1 field

Hi,

I'm parsing a logfile and each line has in a column "Action" either "CREATE" or "CLEAR". If the Action field contains CREATE, I want to create a new document as normal. If the Action contains CLEAR it just want to update field "timestamp_clear", how can I achieve this - so not the full document gets overwritten?

input {
file {
path => "/tmp/NLegacy.OUT"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
csv {
separator => [ ";" ]
columns => ["Action", "DateTimeAlarm", "DateTimeN", "DType", "MType", "Name", "AID"]
#convert => {
# "DateTimeAlarm" => "date_time"
#}
}
if "CREATE" in [Action] {
date {
match => ["DateTimeAlarm", "MM/dd/YYYY HH:mm:ss"]
target => "@timestamp"
timezone => "UTC"
}
date {
match => ["DateTimeAlarm", "MM/dd/YYYY HH:mm:ss"]
target => "timestamp_create"
timezone => "UTC"
}
}
if "CLEAR" in [Action] {
date {
match => ["DateTimeAlarm", "MM/dd/YYYY HH:mm:ss"]
target => "timestamp_clear"
timezone => "UTC"
}
}
date {
match => ["DateTimeNotifier", "dd.MM.YY HH:mm:ss"]
target => "DateTimeNotifier"
timezone => "UTC"
}
mutate {
remove_field => [ "DateTimeAlarm", "message" ]
}
}

output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["localhost"]
document_id => "%{GID}"
index => "logstash-my-index"
timeout => 30
workers => 1
action => "update"
doc_as_upsert => true
}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.