Hi
I am sending logs/events to ES after parsing the log files though Logstash. Now what i want is to add a field after evaluating fields in multiple documents.
e.g following are the documents from the ES index.
pid=1, price=10, status=GD
pid=2, price=5, status=GD
..............................................
..............................................
..............................................
pid=1, price=15, status=Shop
pid=2, price=10, status=Shop
pid=1, price=18, status=Customer
..............................................
Now i want to check if price is greater than 10 for pid =1 and status=GD
and if it the above is true then,
I will check if price is greater than 11 for pid =1 and status=Shop
and finally
Check if price is greater than 15 for pid =1 and status=Customer
If the above evaluation is true for all the three cases, i want to add a field say result=true for all pid=1 so that final document looks like-
pid=2, price=5, status=GD, result=true
I did not find a way to do it through Logstash.
I think to do it i have to write a custom script that reads the ES index and checks for the conditions and add the field. If so how can i read the ES index though a separate script and add/update fields ?
Also is it possible to generate alert based on the above conditions instead of writing a custom script for it.
Needs suggestions from the experts.
Regards