我使用错误的@timestamp字段错误地将许多文档摄取到Elasticsearch中。我已经更改了受影响的Logstash管道以使用正确的时间戳,但是我无法重新摄取旧数据。
但是,我确实有另一个可用作时间戳记(json.created_at)的文档字段。所以我想更新这个领域。我发现我可以使用the _update_by_query操作来执行此操作,但是我尝试了多个无效的版本,包括:
POST logstash-rails_models-*/_update_by_query
{
"script": {
"lang": "painless",
"source": "ctx._source.@timestamp = ctx._source.json.created_at"
}
}
这抱怨一个意外的字符:
{
"error": {
"root_cause": [
{
"type": "script_exception",
"reason": "compile error",
"script_stack": [
"ctx._source.@timestamp = ctx._source. ...",
" ^---- HERE"
],
"script": "ctx._source.@timestamp = ctx._source.json.created_at",
"lang": "painless"
}
],
"type": "script_exception",
"reason": "compile error",
"script_stack": [
"ctx._source.@timestamp = ctx._source. ...",
" ^---- HERE"
],
"script": "ctx._source.@timestamp = ctx._source.json.created_at",
"lang": "painless",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "unexpected character [@].",
"caused_by": {
"type": "lexer_no_viable_alt_exception",
"reason": null
}
}
},
"status": 500
}
我该怎么办?
答案 0 :(得分:0)
访问此字段的正确方法是通过方括号并用引号引起来:
POST logstash-rails_models-*/_update_by_query
{
"script": {
"lang": "painless",
"source": "ctx._source['@timestamp'] = ctx._source.json.created_at"
}
}
另请参阅this thread和有关updating fields with Painless的更多信息。