Logstash 向 elasticsearch 中的现有文档添加事件
Logstash add an event to an existing document in elasticsearch
我在 Elasticsearch 中已经有一个带有 ID 的文档(假设 1)。我需要配置 Logstash,以便将具有相同 ID 的事件插入 Elasticsearch。
ID 已存在的示例文档:
{
"name": "abc"
}
Logstash 事件:
{
"address": "new york",
"mobile no": "xxx"
}
Elasticsearch 中的最终结果:
{
"name": "abc",
"address": "new york",
"mobile no": "xxx"
}
我尝试在输出插件中使用更新脚本:
elasticsearch {
action => "update"
hosts => [ "localhost:9200" ]
index => "details"
scripted_upsert => true
document_id => "%{id}"
script => "ctx._source.name = params.event.get('name')"
}
这允许我添加每个字段(name、address 等),但我需要插入整个 json 事件而不指定每个字段。怎么做?
我认为这比您想象的要容易得多 ;)
Elasticsearch 支持更新插入:https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-doc_as_upsert
所以将 action => update 与 doc_as_upsert => true 结合起来应该可以完成工作:
elasticsearch {
action => "update"
hosts => [ "localhost:9200" ]
index => "details"
doc_as_upsert => true
document_id => "%{id}"
}
我在 Elasticsearch 中已经有一个带有 ID 的文档(假设 1)。我需要配置 Logstash,以便将具有相同 ID 的事件插入 Elasticsearch。
ID 已存在的示例文档:
{
"name": "abc"
}
Logstash 事件:
{
"address": "new york",
"mobile no": "xxx"
}
Elasticsearch 中的最终结果:
{
"name": "abc",
"address": "new york",
"mobile no": "xxx"
}
我尝试在输出插件中使用更新脚本:
elasticsearch {
action => "update"
hosts => [ "localhost:9200" ]
index => "details"
scripted_upsert => true
document_id => "%{id}"
script => "ctx._source.name = params.event.get('name')"
}
这允许我添加每个字段(name、address 等),但我需要插入整个 json 事件而不指定每个字段。怎么做?
我认为这比您想象的要容易得多 ;)
Elasticsearch 支持更新插入:https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-doc_as_upsert
所以将 action => update 与 doc_as_upsert => true 结合起来应该可以完成工作:
elasticsearch {
action => "update"
hosts => [ "localhost:9200" ]
index => "details"
doc_as_upsert => true
document_id => "%{id}"
}