<img src="//i.stack.imgur.com/RUiNP.png" height="16" width="18" alt="" class="sponsor tag img">elasticsearch 在ElasticSearch中更新记录_<img Src="//i.stack.imgur.com/RUiNP.png" Height="16" Width="18" Alt="" Class="sponsor Tag Img">elasticsearch_Logstash

elasticsearch 在ElasticSearch中更新记录

logstash

elasticsearch 在ElasticSearch中更新记录,elasticsearch,logstash,elasticsearch,Logstash,我想为特定索引中的所有记录更新logdate列。从我到目前为止读到的情况来看，这似乎是不可能的？我是对的以下是一个文档示例： { "_index": "logstash-01-2015", "_type": "ufdb", "_id": "AU__EvrALg15uxY1Wxf9", "_score": 1, "_source": { "mess

我想为特定索引中的所有记录更新

logdate

列。从我到目前为止读到的情况来看，这似乎是不可能的？我是对的

以下是一个文档示例：

{
            "_index": "logstash-01-2015",
            "_type": "ufdb",
            "_id": "AU__EvrALg15uxY1Wxf9",
            "_score": 1,
            "_source": {
               "message": "2015-08-14 06:50:05 [31946] PASS  level2      10.249.10.70    level2     ads       http://ad.360yield.com/unpixel.... GET",
               "@version": "1",
               "@timestamp": "2015-09-24T11:17:57.389Z",
               "type": "ufdb",
               "file": "/usr/local/ufdbguard/logs/ufdbguardd.log",
               "host": "PROXY-DEV",
               "offset": "3983281700",
               "logdate": "2015-08-14T04:50:05.000Z",
               "status": "PASS",
               "group": "level2",
               "clientip": "10.249.10.70",
               "category": "ads",
               "url": "http://ad.360yield.com/unpixel....",
               "method": "GET",
               "tags": [
                  "_grokparsefailure"
               ]
            }
         }

PUT /test_index/doc/1
{
   "message": "2015-08-14 06:50:05 [31946] PASS  level2      10.249.10.70    level2     ads       http://ad.360yield.com/unpixel.... GET",
   "@version": "1",
   "@timestamp": "2015-09-24T11:17:57.389Z",
   "type": "ufdb",
   "file": "/usr/local/ufdbguard/logs/ufdbguardd.log",
   "host": "PROXY-DEV",
   "offset": "3983281700",
   "logdate": "2015-08-14T04:50:05.000Z",
   "status": "PASS",
   "group": "level2",
   "clientip": "10.249.10.70",
   "category": "ads",
   "url": "http://ad.360yield.com/unpixel....",
   "method": "GET",
   "tags": [
      "_grokparsefailure"
   ]
}

GET /test_index/doc/1

您可以使用

为了测试它，我创建了一个简单的索引：

PUT /test_index

然后创建了一个文档：

{
            "_index": "logstash-01-2015",
            "_type": "ufdb",
            "_id": "AU__EvrALg15uxY1Wxf9",
            "_score": 1,
            "_source": {
               "message": "2015-08-14 06:50:05 [31946] PASS  level2      10.249.10.70    level2     ads       http://ad.360yield.com/unpixel.... GET",
               "@version": "1",
               "@timestamp": "2015-09-24T11:17:57.389Z",
               "type": "ufdb",
               "file": "/usr/local/ufdbguard/logs/ufdbguardd.log",
               "host": "PROXY-DEV",
               "offset": "3983281700",
               "logdate": "2015-08-14T04:50:05.000Z",
               "status": "PASS",
               "group": "level2",
               "clientip": "10.249.10.70",
               "category": "ads",
               "url": "http://ad.360yield.com/unpixel....",
               "method": "GET",
               "tags": [
                  "_grokparsefailure"
               ]
            }
         }

PUT /test_index/doc/1
{
   "message": "2015-08-14 06:50:05 [31946] PASS  level2      10.249.10.70    level2     ads       http://ad.360yield.com/unpixel.... GET",
   "@version": "1",
   "@timestamp": "2015-09-24T11:17:57.389Z",
   "type": "ufdb",
   "file": "/usr/local/ufdbguard/logs/ufdbguardd.log",
   "host": "PROXY-DEV",
   "offset": "3983281700",
   "logdate": "2015-08-14T04:50:05.000Z",
   "status": "PASS",
   "group": "level2",
   "clientip": "10.249.10.70",
   "category": "ads",
   "url": "http://ad.360yield.com/unpixel....",
   "method": "GET",
   "tags": [
      "_grokparsefailure"
   ]
}

GET /test_index/doc/1

现在，我可以使用以下工具对文档进行部分更新：

POST /test_index/doc/1/_update
{
    "doc": {
        "logdate": "2015-09-25T12:20:00.000Z"
    }
}

如果检索文档：

{
            "_index": "logstash-01-2015",
            "_type": "ufdb",
            "_id": "AU__EvrALg15uxY1Wxf9",
            "_score": 1,
            "_source": {
               "message": "2015-08-14 06:50:05 [31946] PASS  level2      10.249.10.70    level2     ads       http://ad.360yield.com/unpixel.... GET",
               "@version": "1",
               "@timestamp": "2015-09-24T11:17:57.389Z",
               "type": "ufdb",
               "file": "/usr/local/ufdbguard/logs/ufdbguardd.log",
               "host": "PROXY-DEV",
               "offset": "3983281700",
               "logdate": "2015-08-14T04:50:05.000Z",
               "status": "PASS",
               "group": "level2",
               "clientip": "10.249.10.70",
               "category": "ads",
               "url": "http://ad.360yield.com/unpixel....",
               "method": "GET",
               "tags": [
                  "_grokparsefailure"
               ]
            }
         }

PUT /test_index/doc/1
{
   "message": "2015-08-14 06:50:05 [31946] PASS  level2      10.249.10.70    level2     ads       http://ad.360yield.com/unpixel.... GET",
   "@version": "1",
   "@timestamp": "2015-09-24T11:17:57.389Z",
   "type": "ufdb",
   "file": "/usr/local/ufdbguard/logs/ufdbguardd.log",
   "host": "PROXY-DEV",
   "offset": "3983281700",
   "logdate": "2015-08-14T04:50:05.000Z",
   "status": "PASS",
   "group": "level2",
   "clientip": "10.249.10.70",
   "category": "ads",
   "url": "http://ad.360yield.com/unpixel....",
   "method": "GET",
   "tags": [
      "_grokparsefailure"
   ]
}

GET /test_index/doc/1

我将看到

logdate

属性已更新：

{
   "_index": "test_index",
   "_type": "doc",
   "_id": "1",
   "_version": 2,
   "found": true,
   "_source": {
      "message": "2015-08-14 06:50:05 [31946] PASS  level2      10.249.10.70    level2     ads       http://ad.360yield.com/unpixel.... GET",
      "@version": "1",
      "@timestamp": "2015-09-24T11:17:57.389Z",
      "type": "ufdb",
      "file": "/usr/local/ufdbguard/logs/ufdbguardd.log",
      "host": "PROXY-DEV",
      "offset": "3983281700",
      "logdate": "2015-09-25T12:20:00.000Z",
      "status": "PASS",
      "group": "level2",
      "clientip": "10.249.10.70",
      "category": "ads",
      "url": "http://ad.360yield.com/unpixel....",
      "method": "GET",
      "tags": [
         "_grokparsefailure"
      ]
   }
}

下面是我用来测试它的代码：

你是对的，这是不可能的

有一个开放的问题需要很长时间，我不确定它是否会很快实现，因为它对于底层的lucene引擎来说是非常有问题的。它需要删除所有文档并重新编制它们的索引

github上提供了一个，但它是实验性的，我从未尝试过

更新2018-05-02

最初的答案相当古老。现在支持。

您所说的“更新”是什么意思？是否将该值更改为其他字符串？是否将其转换为日期对象而不是字符串？是否将值复制到@timestamp？或者？我想将所有文档的logdate字段更改为另一个日期。在MySQL中，我会这样做：

UPDATE logstash SET logdate=“2015-09-20T04:50:05.000Z”

但我似乎只能通过提供其_id来更新一个文档。谢谢您的回答。我想我解释得不对。我已经检查了更新API，但是我可以看到，为了运行更新，您必须提供_id字段。在我的例子中，我希望对所有文档运行更新，以使“logdate”相同。