In one of my pipelines I am using logstash with JSON input and output to Elasticsearch with action => "update".
One of the document fields contains nested data type. If in input JSON I receive following:
"nested_field":{"ident":"1","someField":"someVal"}
I should update nested_field, find objct with value 1 in field ident and for this object update field someField to someVal.
Is such operation possible in Logstash?
Yes it is...
filter {
# either conditional
if [nested_field][ident] == '1' {
# use any filter plugin to alter [nested_field][someField]
}
# or use the alter plugin
alter {
condrewriteother => [
"[nested_field][ident]", "1", "[nested_field][someField]", "new_value"
]
}
}Thank you for answer, but maybe I will describe my problem more through.
I have already in ElasticSearch document, with objects in nested_field. I need to update one of these objects (in ElasticSearch) using Logstash, but not to change other objects in nested_field.
I think you are looking for the update_by_query API in elasticsearch. You can do that using a POST from an http filter, similar to the delete field script in the other thread.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.