Use @timestamp in a _update_by_query

I'm trying to add a field to documents in an index.
I want to bake in the @timestamp field.

If I use something like the following in a curl -XPOST
-d '{
"script" : { "ctx.source.extra_field = ctx._source.timestamp;", "lang" : "painless" },
"query" : " { "match_all": {} }
}'

I get an extra field with null in.
Of course, saying ctx._source.@timestamp is a syntax error.

(I'm actually going to try to concatenate a few fields so we can avoid a like/contains lookup, however tried a simple example first, which doesn't work.)


I have seen Alerting: Access @timestamp in transform throws Exception and also tried

"ctx.source.extra_field = ctx._source.['@timestamp'];"

This complains illegal argument exception about the '@' characeter.

Try changing ctx.source.extra_field = ctx._source.['@timestamp'];

to ctx.source.extra_field = ctx._source['@timestamp'];"

The dot after ctx._source must not be there.

1 Like

OK - good spot.

Without the dot it still complains about an "unexpected character [@]"

I suspect it's hsving all the curl in a file actually...if I just put the payload in and send that to curl I might be good.

And indeed start the curl with' in a script meant the next quote round the @timestamp broke things.

Note to self - put the payload in the file and use --data "@add_field"with the script in the file.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.