Output: specify document id or allow elasticsearch to pick

Supermathie · February 28, 2020, 8:26pm

Sometimes on injest we have an id we want to keep as the document id:

    if [trace_id] {
      mutate {
        copy => { "trace_id" => "[@metadata][document_id]" }
        remove_field => "trace_id"
      }
    }

so we specify as an output filter (for example):

  if [type] == "bbq" {
    elasticsearch {
      id                 => "bbq"
      hosts              => ["elasticsearch-1", "elasticsearch-2", "elasticsearch-3"]
      index              => "bbq-%{+YYYY.MM.dd}"
      document_id        => "%{[@metadata][document_id]}"
    }
  }

And this works great, but there are certain logs generated where we do not have a trace_id and so want elastic to generate its own document ID. But if [@metadata][document_id] was not specified previously, we get a document in elastic with the literal text [@metadata][document_id] as its document ID.

Possible solutions to this:

generate a document ID ourselves if not already specified (I don't like this as elastic should be handling this)
have two separate output filters (I do not like the duplication of doing so)

Is there a better way of handling this? What is the best pattern?

system · March 27, 2020, 8:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic document_id Logstash	6	1597	April 27, 2023
How does logstash generate '_id' when the outputting to elastic search? Logstash	2	7285	July 6, 2017
ES query to check the existence of a document_id? Logstash	10	982	June 26, 2020
Records disappearing while using custom document_id Elasticsearch	4	704	October 11, 2017
How to use document id to avoid duplication of logs? Logstash	8	1852	June 26, 2020

Output: specify document id *or* allow elasticsearch to pick

Related topics

Output: specify document id or allow elasticsearch to pick