如何用Elasticsearch中的另一个字段覆盖@timestamp字段?

问题描述 投票:0回答:1

我使用错误的@timestamp字段错误地将大量文档摄入Elasticsearch。我已经更改了受影响的Logstash管道以使用正确的时间戳,但我无法重新获取旧数据。

但是我有另一个文档字段可以用作时间戳(json.created_at)。所以我想更新这个领域。我发现我可以使用the _update_by_query动作来做到这一点,但我已经尝试了几个不起作用的版本,包括:

POST logstash-rails_models-*/_update_by_query
{
  "script": {
    "lang": "painless",
    "source": "ctx._source.@timestamp = ctx._source.json.created_at"
  }
}

这抱怨了一个意外的角色:

{
  "error": {
    "root_cause": [
      {
        "type": "script_exception",
        "reason": "compile error",
        "script_stack": [
          "ctx._source.@timestamp = ctx._source. ...",
          "            ^---- HERE"
        ],
        "script": "ctx._source.@timestamp = ctx._source.json.created_at",
        "lang": "painless"
      }
    ],
    "type": "script_exception",
    "reason": "compile error",
    "script_stack": [
      "ctx._source.@timestamp = ctx._source. ...",
      "            ^---- HERE"
    ],
    "script": "ctx._source.@timestamp = ctx._source.json.created_at",
    "lang": "painless",
    "caused_by": {
      "type": "illegal_argument_exception",
      "reason": "unexpected character [@].",
      "caused_by": {
        "type": "lexer_no_viable_alt_exception",
        "reason": null
      }
    }
  },
  "status": 500
}

我该怎么办?

elasticsearch
1个回答
0
投票

访问此字段的正确方法是通过括号并用引号括起来:

POST logstash-rails_models-*/_update_by_query
{
  "script": {
    "lang": "painless",
    "source": "ctx._source['@timestamp'] = ctx._source.json.created_at"
  }
}

另请参阅this thread以及有关updating fields with Painless的更多信息。

© www.soinside.com 2019 - 2024. All rights reserved.