How can I store the entire document found via the elasticsearch filter into the current logstash event? As far as I can tell, I can only target fields to be copied over manually by using the "fields" attribute of the ES filter. Moreover, I cannot exactly use the 'fields' attribute because I am querying across multiple indexes that have different shapes which may change in the future.
Ideally, my logstash event will have a new attribute 'results' or something of the like that contains a list of the documents that matched the query.
I would essentially like to do something like this:
filter {
elasticsearch {
query => "{memberGuid: %{[memberGuid]}"
index => "members-*"
fields => { "_document" => "results" }
result_size => 1000
}
}
I've tried using wildcard matching for the source fields, to no avail.
This is possible with the docinfo_fields that let you access the _<fields> of the query.
filter {
elasticsearch {
query => "{memberGuid: %{[memberGuid]}"
index => "members-*"
docinfo_fields => { "_source" => "results" }
result_size => 1000
}
}