I would avoid the file.
If you use inline, the script is being sent together with the request each time.
It will be cached after the first compilation, so there are no major performance improvements.
The script will be sent each time.
If you use indexed, the script must be setup before starting Logstash and there will be less data to be transferred over network.
@Alex_Marquardt has a good tutorial in his blog: Using Logstash and Elasticsearch scripted upserts to transform eCommerce purchasing data
If you enable doc_as_upsert you might miss the first filename.
I think the correct elasticsearch output should be:
elasticsearch {
index => "ecommerce_ls_transformed"
document_id => "%{doc_id}"
action => "update"
scripted_upsert => true
script_lang => "painless"
script => "def fn = params.event.get('filename'); if (ctx._source.filenames != null) {ctx._source.filenames.add(fn)} else {ctx._source.filenames = [ fn ]} "
}
Regarding the following error:
If the painless script is valid, I wouldn't expect it to be recompiled several times (as it is cached at the first execution, if there is no dynamic content in it - meaning you access params.event and there is no templated text in the script).
Are you sure this didn't occur just because you did some attempts adjusting the script and the compilation failed too many times in a short time frame?