I have a doubt on how the logstash updates the existing record in the elastic search index with the same document_id, and it executes as a scheduled job with a database (ES-LS-DB). Is logstash remove all the records in the index and re insert all or just update the updated record by matching the document id? (this document id is get from the db)
use replace in filter on config file: Value type is hash There is no default value for this setting. Replace a field with a new value. The new value can include %{foo} strings to help you build a new value from other parts of the event.
Example:
filter {
mutate {
replace => { "message" => "%{source_host}: My new message" }
}
}