Watcher index action with dynamic doc_id value

Elastic Stack Elasticsearch
1

I'm doing an index action in my watch's Actions block for docs from a _doc payload (see code below). Index action works fine, however, I have duplicate docs and haven't figured out how to evaluate the "doc_id" value in a dynamic way within my index action given a "_doc" payload source:

"actions" : {
  "index_matches" : {
	"transform" : {
		"chain": [
		{ 
			"search" : {
				"request" : {
					"indices" : "rq-snow",
				    "body" : {
				      "size": 1000000,
						  "query" : { 
							  "match" : { 
								  "ip": "{{#ctx.payload.hits.hits}} {{_source.ip}} {{/ctx.payload.hits.hits}}"
							  }
						  }
					  }
			    }
		    }
		},	
		{
			"script": {
				"inline": "def document = []; for(item in ctx.payload.hits.hits) {document.add(item._source);} return [ \"_doc\" : document ];"
			}
		}
		]		
    },
	"index" : {
		"index" : "rq-snow-aware", 
		"doc_type" : "Hit",
		}
	}
}
2

Hey,

you need a _doc array in the following structure to index by id.

_doc = [
 { "_id" : 1234, "foo":"bar", "spam": "eggs"  }
]

This means you need to extract the metadata from the hit and add the id field as part of the second transform.

Hope this helps.

--Alex

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.