Replace ip with hostname on data already indexed

Pete_Del_Rosso · March 8, 2017, 6:02pm

I am streaming sys logs to log stash. To make them more useful I added a dns filter so we can see machine name:

dns {
reverse => [ "remoteAddress" ]
action => "replace"
}

This is working well. I want to update the existing "remoteAddress" fields and replace the IP with the host name. I have looked at the bulk update API and the update by query api and can't figure out how to do this. There's only a handful of values so i don't mind writing a couple of API requests by hand to do this.

Using the Dev Tool link in the Kibana UI, I have been trying something like this with no luck:

POST myindex/_update_by_query
{
"query" : {
"term" : {
"remoteAddress" : { "1.2.3.4" }
}
}
"replace" : {
"doc" : {
"remoteAddress" : { "myservername" }
}
}
}

i have been looking online for simple examples to build my query with, no luck. Any help would be greatly appreciated.

Thanks,
Pete

warkolm · March 8, 2017, 7:42pm

Does that query not work?

Pete_Del_Rosso · March 8, 2017, 7:58pm

this query:

POST http-access-cos/_update_by_query
{
"query" : {
"term" : {
"remoteAddress" : { "127.0.0.1" }
}
}
"replace" : {
"doc" : {
"remoteAddress" : { "localhost" }
}
}

returns:

{
"error": {
"root_cause": [
{
"type": "json_parse_exception",
"reason": "Unexpected character ('}' (code 125)): was expecting a colon to separate field name and value\n at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@70c87ba0; line: 4, column: 34]"
}
],
"type": "json_parse_exception",
"reason": "Unexpected character ('}' (code 125)): was expecting a colon to separate field name and value\n at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@70c87ba0; line: 4, column: 34]"
},
"status": 500
}

warkolm · March 8, 2017, 9:28pm

Try "remoteAddress" : "127.0.0.1".
Same for the second remoteAddress.

Pete_Del_Rosso · March 9, 2017, 5:21pm

nope, is this documented somewhere? or is there a valid example we could reference?

POST http-access-cos/_update_by_query
{
"query" : {
"term" : {
"remoteAddress" : "127.0.0.1"
}
}
"replace" : {
"doc" : {
"remoteAddress" :"localhost"
}
}
}

{
"error": {
"root_cause": [
{
"type": "json_parse_exception",
"reason": "Unexpected character ('"' (code 34)): was expecting comma to separate Object entries\n at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@4c4f39f9; line: 7, column: 5]"
}
],
"type": "json_parse_exception",
"reason": "Unexpected character ('"' (code 34)): was expecting comma to separate Object entries\n at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@4c4f39f9; line: 7, column: 5]"
},
"status": 500
}

system · April 6, 2017, 5:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.