8

Is there a way to tell logstash to remove/update some log entries from Elasticsearch? It seems that Logstash can index documents but I didn't find evidence that it can make update/delete operations.

If it is possible, we could imagine that we could "log" operations on Elasticsearch and use Logstash to output them in bulk in Elasticsearch. This way the programmer doesn't have to create a mechanism to make bulk operations on Elasticsearch.

Heschoon
  • 2,915
  • 9
  • 26
  • 55
  • I suspect you can do that by setting the document_id option of the elasticsearch output. You obviously have to be able to generate a unique and reproducible id for each log entry. – Magnus Bäck Apr 17 '15 at 09:54
  • The idea is nice and give a way to update the log. It doesn't give the possibility to delete the log however. – Heschoon Apr 17 '15 at 10:15
  • Possible duplicate of [Importing and updating data in Elasticsearch](http://stackoverflow.com/questions/21716002/importing-and-updating-data-in-elasticsearch) – Amir Ali Akbari Dec 03 '16 at 13:02

1 Answers1

5

Everything is in the docs.

To update an entry with Logstash, you need to provide the document id in document_id and the document will be replaced with the new content.

To delete a document with logstash, provide it's id in document_id and set the action field to "delete".

Heschoon
  • 2,915
  • 9
  • 26
  • 55