Hello,
I have this config file where I am trying to update an existing document with matching UUID only if the new document has greater timestamp than previous document. However, the field previoustime never seems to be populated properly or it is empty most of the times. When it does get populated, it gets populated from completely different document.
'input {beats{port => 5044}} filter{json{source => "message"}elasticsearch{hosts => ["172.17.0.2:9200"] query => "_id={[uuid]}" index => "uuid39" fields => {"publishedtime" => "previoustime"}}} output {if[key] == "elasticsearch" and [previoustime] {if[previoustime] < [publishedtime]{ elasticsearch { hosts => ["172.17.0.2:9200"] index => "uuid39" document_id => "%{[uuid]}" }}}else if[key] == "elasticsearch"{elasticsearch {hosts => ["172.17.0.2:9200"] document_id => "%{[uuid]}" index => "uuid39" }}else{}}'