This derives from Daily load of weekly records in elastic through logstash ignoring repeated records
I'm trying to check, previously to manage the event, if there is any record on the index with same values on several fields as my current event, so in the filter plugin I'm trying this:
filter {
elasticsearch {
hosts => <host ip>
ca_file => <ca file path>
user => <authentication username>
password => <authentication password>
index => <index name I want to query>
query => "period:${[period]} AND station:${[station]} AND checkDate:${[checkDate]}"
}
Where period, station and checkDate are fields present in the index, and where I expect to find those fields values on my current event at ${[field_name]} as I've parsed them on a csv filter.
However, no matter how much I try to tweak the syntax, I always get "Failed to parse query" error, seemingly founding "]" where "TO" was expected ¿¿??
I haven't been able to find anything on internet that points to what is wrong with my query syntax, and I've tryed like a zillion syntax variations without success.
Anyone can point if there is any error on the query?
Can anyone
If you want to access values from the event fields, you need to use the %{} notation not ${}
period:%{[period]} AND station:%{[station]} AND checkDate:%{[checkDate]}
^ ^ ^
| | |