Update document on multiple indices

shaharmor · April 5, 2017, 1:35pm

Hi,

I'm tracking user sessions as docs in ES.
Each session is a single doc that gets updated when ever the session state changes.

I'm using daily based indices, and the ID of the doc is the session ID (UUID).
If a session starts before the end of a day, but continues on to the next day, the update will look for it only in the next day's index and thus won't find it and will create a new doc, right?

How can I make logstash look up the doc in multiple indices so I will really only have a single doc per session? Or is there a better way to handle this?

TWalter · April 5, 2017, 11:24pm

Hi shaharmor,

i have an Idea, but it's a little bit complicated. I think the decission in which Index the event is written depends on the timestamp of the doc or other specific fields.

To solve your Problem you can do this:

You lookup your ES if there is already an entry with the same UUID. You can do this with the Elasticsearch-Filter-Plugin (here the documentation: https://www.elastic.co/guide/en/logstash/current/plugins-filters-elasticsearch.html).
Configure the filter plugin, so that you "join" specific fields (that are responsible for writing in the time based index) from the existing entry in ES. If there is no existing entry with the same UUID, the filter plugin doesn' join anything (because ther is nothing to join) and the doc won't be modified.
If the filter plugin joined the fields of the existing entry, delete the unnecessary and keep the necessary fields for the correct updating to the "old" index.

I hope i could help you a little bit =)

system · May 3, 2017, 11:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.