Elasticsearch输出插件是否支持elasticsearch的_update_by_query? https://www.elastic.co/guide/en/logstash/6.5/plugins-outputs-elasticsearch.html https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-update-by-query.html
答案 0 :(得分:0)
elasticsearch输出插件只能调用_bulk端点,即使用Bulk API。
如果要调用“按查询更新” API,则需要使用http输出插件,并在事件内部构造查询。如果您解释了要达到的目标,我可以提供更多详细信息来更新我的答案。
注意:有一个issue要求此功能,但两年后它仍然打开。
更新
因此,如果您的输入事件为{"cname":"wang", "cage":11},并且您想通过查询所有带有"cname":"wang"并将其设置为"cage":11的文档来进行更新,则查询需要如下所示:
POST your-index/_update_by_query
{
"script": {
"source": "ctx._source.cage = params.cage",
"lang": "painless",
"params": {
"cage": 11
}
},
"query": {
"term": {
"cname": "wang"
}
}
}
因此您的Logstash配置应如下所示(您的输入可能会有所不同,但是我出于测试目的使用了stdin)
input {
stdin {
codec => "json"
}
}
filter {
mutate {
add_field => {
"[script][lang]" => "painless"
"[script][source]" => "ctx._source.cage = params.cage"
"[script][params][cage]" => "%{cage}"
"[query][term][cname]" => "%{cname}"
}
remove_field => ["host", "@version", "@timestamp", "cname", "cage"]
}
}
output {
http {
url => "http://localhost:9200/index/doc/_update_by_query"
http_method => "post"
format => "json"
}
}
答案 1 :(得分:-1)
使用标准的 elasticsearch 插件可以获得相同的结果:
input {
elasticsearch {
hosts => "${ES_HOSTS}"
user => "${ES_USER}"
password => "${ES_PWD}"
index => "<your index pattern>"
size => 500
scroll => "5m"
docinfo => true
}
}
filter {
...
}
output {
elasticsearch {
hosts => "${ES_HOSTS}"
user => "${ES_USER}"
password => "${ES_PWD}"
action => "update"
document_id => "%{[@metadata][_id]}"
index => "%{[@metadata][_index]}"
}
}