Menu
I'm having trouble with ElasticSearch, how can I change id to another field in log file ?
582
I don't think you can change the ids of existing documents in the index, but you can reindex them using the path parameter in your mapping. Here is a trivial example. According to elastic.co/blog/great-mapping-refactoring#meta-fields, the _id field is no longer configurable.
In Elasticsearch, to replace a document you simply have to index a document with the same ID and it will be replaced automatically. If you would like to update a document you can either do a scripted update, a partial update or both.
Each document has an _id that uniquely identifies it, which is indexed so that documents can be looked up either with the GET API or the ids query. The _id can either be assigned at indexing time, or a unique _id can be generated by Elasticsearch.
In the elasticsearch output you can set the document_id for the event you are shipping. This will end up being the _id in elasticsearch. You can use all sort of parameters / field references / ... that are available in logstash config. Like so:
elasticsearch {
host => yourEsHost
cluster => "yourCluster"
index => "logstash-%{+YYYY.MM.dd}"
document_id => "%{someFieldOfMyEvent}"
}
In this example someFieldOfMyEvent ends up being the _id of this event in ES.
133
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
