我使用错误的@timestamp
字段错误地将大量文档摄入Elasticsearch。我已经更改了受影响的Logstash管道以使用正确的时间戳,但我无法重新获取旧数据。
但是我有另一个文档字段可以用作时间戳(json.created_at
)。所以我想更新这个领域。我发现我可以使用the _update_by_query
动作来做到这一点,但我已经尝试了几个不起作用的版本,包括:
POST logstash-rails_models-*/_update_by_query
{
"script": {
"lang": "painless",
"source": "ctx._source.@timestamp = ctx._source.json.created_at"
}
}
这抱怨了一个意外的角色:
{
"error": {
"root_cause": [
{
"type": "script_exception",
"reason": "compile error",
"script_stack": [
"ctx._source.@timestamp = ctx._source. ...",
" ^---- HERE"
],
"script": "ctx._source.@timestamp = ctx._source.json.created_at",
"lang": "painless"
}
],
"type": "script_exception",
"reason": "compile error",
"script_stack": [
"ctx._source.@timestamp = ctx._source. ...",
" ^---- HERE"
],
"script": "ctx._source.@timestamp = ctx._source.json.created_at",
"lang": "painless",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "unexpected character [@].",
"caused_by": {
"type": "lexer_no_viable_alt_exception",
"reason": null
}
}
},
"status": 500
}
我该怎么办?
访问此字段的正确方法是通过括号并用引号括起来:
POST logstash-rails_models-*/_update_by_query
{
"script": {
"lang": "painless",
"source": "ctx._source['@timestamp'] = ctx._source.json.created_at"
}
}
另请参阅this thread以及有关updating fields with Painless的更多信息。