Update Dataset with Information comming delayed

michaelpietzsch · January 18, 2021, 9:22am

Hello dear elastic users,

im currently having an issue implementing a logic which updates fields after they have been stored in the elastic.

Let me try to explain this to the best of my ability:

Theres a log entrance comming in to elastic which contains fields like

Theres a CONNECT Logline comming in. The system provides a connectionID
A couple of seconds or minutes later a BIND Logline comes in with the same connectionID in addition now we have filled user field.
My goal is to add this user field to the connect log line...
.... this is the basic task...

Now heres where things really get complicated.... it is possible that multiple same connection ids occour. The data enhanchement must only work for the last operation...

any ideas on how to do this?
best regards michael

ylasri · January 18, 2021, 9:28am

How are you sending logs to elasticsearch ? with Logstash ?

michaelpietzsch · January 18, 2021, 9:51am

They are comming from a TD agent logshipper

ylasri · January 18, 2021, 9:55am

No idea about it, but anyway, elasticsearch provide an upsert option to update existing document

hat's something that logstash support OOB

michaelpietzsch · January 18, 2021, 10:07am

Would the enrich processor be a viable option?

system · February 15, 2021, 10:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.