I have some data from our Monitoring tool that is uploaded to Elastic with Filebeats. When the monitoring alert is closed, I get a new entry with "Resolution state: Closed" I would like to update the Resolution state in Elastic, instead of creating an new (double) entry, with only one field changed.
In this topic I found some information about that. I have to make sure that I have a unique ID that I can use to relate the 2 entries.
So with the help of this forum, I managed to change the Document Id, by adding this to the filebeat.yml
filebeat.inputs:
parsers:
- ndjson:
document_id: "AlertId"
I can verify that the Document Id now is correct, and not generated by Elastic anymore. But when I have a closed alert, nothing seems to happen. So it doesn't get uploaded twice anymore, but it's also not updating.
Any help with figuring this problem out would be appreciated! I have no clue anymore.