Hello everybody,
I'm not finding a solution to this problem:
using http_poller as input plugin, an elasticsearch filter to match log and enrich with some data, output elastic search for update the log.
here's the configuration example:
input {
http_poller {
urls => {
test1 => {
url => "http://localhost:9200/dp_api-*/_search?q=myqueryAND-tags:enriched"
method => get
#auth => {
# user => "AzureDiamond"
# password => "hunter2"
#}
}
}
request_timeout => 60
# Supports "cron", "every", "at" and "in" schedules by rufus scheduler
schedule => { every => "1m"}
codec => "plain"
# A hash of request metadata info (timing, response headers, etc.) will be sent here
#metadata_target => "http_poller_metadata"
tags => ["to_enrich"]
}
}
filter{
json{
source => "message"
remove_field => ["message"]
}
split {
field => "[hits][hits]"
}
mutate {
remove_field => [ "took", "@version", "timed_out", "_shards", "[hits][hits][_index]", "[hits][hits][_type]"]
}
if "to_enrich" in [tags]{
elasticsearch { #prendo i dpapi logs
hosts => "localhost:9200"
index => "dp_api-*"
query_template => "path/elastic-queries/matching-requestaw.json"
fields => { "request" => "[hits][hits][_source][new_key_vittorio]" }
add_tag => ["enriched"]
remove_tag => ["to_enrich"]
}
}
}
output {
stdout {
codec => rubydebug
}
if "enriched" in [tags] {
elasticsearch {
hosts => "localhost:9200"
index => "dp-api-%{+YYYY.MM.dd}"
document_id => "%{[hits][hits][_source][@metadata][_id]}"
parent => ""
action => "update"
}
}
}
and is not working simply because (i think) elasticsearch doesn't want the json like this one, which has all the fields that comes from the search. As output I successfully enrich the log using the filter but then i'm not able to update in elasticsearch. Am i missing something?
is there a way to tell elasticsearch output to take the content of the _source field ?
thanks