Update operation doesn't update same columns

Elastic Stack Logstash
1

Hi ,

I have a logstash in which in am using document_id="update" operation , But in update operation the columns value are not getting overridden , Here's my logstash , Hope to receive some replies

input {
beats {
port => 5044
}
}

The filter part of this file is commented out to indicate that it is

optional.

filter {
if [fields][log_type] == "STO-SAG" {

	if "JMS Message In" in [message] {
		dissect {
			mapping => { 
				message => "%{Timestamp} ##%{HostName}##%{Service_Name}##%{RICEF}##%{Filler1}##%{Correlation_Id}##%{Filler2}##Service Started : %{StartServiceMessage}##%{Filler3}##%{Filler4}##%{Filler5}##%{Filler6}##%{ServiceContextId}##%{UserName}##%{Filler7}##%{JMSMESSAGEIN} : %{SourceMessage}" }
		}
		xml {
			source => "SourceMessage"
			store_xml => false
			xpath => ["/ZORDERS01/IDOC/EDI_DC40/MESTYP/text()", "msg_type"]
			xpath => ["/ZORDERS01/IDOC/EDI_DC40/DOCNUM/text()", "idoc_no"]	
			xpath => ["/ZORDERS01/IDOC/E1EDK01/BELNR/text()", "SAGIN_STO_NO"]			
		} 	
		mutate { 
			remove_field => [ "SourceMessage","Filler1","Filler2","Filler3","Filler4","Filler5","Filler6","Filler7","ServiceContextId" ]
			
			add_field => { "STO_Number" => "%{SAGIN_STO_NO}" }

add_field => { "SAGstatus" => "SAGReceived" }

		}
	}
	
	if [JMSMESSAGEIN]=="JMS Message In"
	{
		mutate
		{
			add_field => { "SAGstatus" => "SAGReceived" }
		}	
	}
	
	if "Line File Content" in [message] {
		dissect {
			mapping => { 
				message => "%{Timestamp} ##%{HostName}##%{Service_Name}##%{RICEF}##%{Filler1}##%{Correlation_Id}##%{Filler2}##STO Number:%{SAGOUT_STO_NUMBER}|END SERVICE MESSAGE-SERVICE NAME:%{EndServiceMessage}##%{Filler3}##%{Filler4}##%{Filler5}##%{Filler6}##%{ServiceContextId}##%{UserName}##%{Filler7}##%{LINEFILECONTENT} W%{detailcedillafile}Header File Content%{Headercedillafile}" }
	}
		mutate { 
			
			remove_field => [ "Filler1","Filler2","Filler3","Filler4","Filler5","Filler6","Filler7","ServiceContextId" ]
			add_field => { "STO_Number" => "%{SAGOUT_STO_NUMBER}" }

add_field => { "SAGstatus" => "SAGProcessed" }

		}		
	}
	if[LINEFILECONTENT]=="Line File Content"
	
	{
		mutate
		{
			add_field => { "SAGstatus" => "SAGProcessed" }
			
		}	
	}
		
     if "Error Message:" in [message] {
		dissect {
			mapping => { 
				message => "%{Timestamp} ##%{HostName}##%{Service_Name}##%{RICEF}##%{Filler1}##%{Correlation_Id}##%{Filler2}##STO Number:%{SAGERROR_STO_NUMBER}|%{EndServiceMessage}##%{Filler3}##%{Filler4}##%{Filler5}##%{Filler6}##%{ServiceContextId}##%{UserName}##%{Filler7}##%{ERRORMESSAGE}" }
					}
		mutate { 
			remove_field => [ "Filler1","Filler2","Filler3","Filler4","Filler5","Filler6","Filler7","ServiceContextId" ]
			add_field => { "SAGstatus" => "SAGError" }			
			add_field => { "STO_Number" => "%{SAGERROR_STO_NUMBER}" }
		
		}			
	}	
}

}

output {
elasticsearch
{
hosts => "localhost:9200"
manage_template => false
index => "sto-elkrft-ind-%{+YYYY.MM.dd}"
action => "update"
document_id => "%{STO_Number}"
doc_as_upsert => true
}
stdout { codec => rubydebug }
}

The column SAGstatus , Correlation Id are not getting override

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.