I have a logstash pipeline put into place through which I am getting logs. I want to handle a use-case through logstash configuration in which I have to append a particular value to a field. Currently, it is happening that instead of appending the value at the end of the present value in the index, it replaces the entire value inside the field with the value to be appended.
I want the value to be appended to behave exactly as intended and should get appended to the end.
My Logstash.conf file looks like this:
input {
kafka {
bootstrap_servers => "http://kafka:9092"
topics => "elasticIndexUpdateTopic"
codec => json {}
}
}
filter {
mutate {
remove_field => [ "@timestamp", "@version" ]
}
}
output {
if ([isAppend] or [isAppend] == "true") {
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "su-test"
document_id => "%{[id]}"
action => "update"
doc_as_upsert => true
script_lang => "painless"
script => "for(item in params.event.get('%{[field]}')){if(!ctx._source.%{[field]}.contains(item)){ctx._source.%{[field]}.add(item)}}"
}
}
else {
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "su-test"
document_id => "%{[id]}"
action => "update"
doc_as_upsert => true
}
}
}