In this post, we will see how to resolve Fetching the entire elasticsearch document into a logstash event

Question:

How can I store the entire document found via the elasticsearch filter into the current logstash event? As far as I can tell, I can only target fields to be copied over manually by using the “fields” attribute of the ES filter. Moreover, I cannot exactly use the ‘fields’ attribute because I am querying across multiple indexes that have different shapes which may change in the future.
Ideally, my logstash event will have a new attribute ‘results’ or something of the like that contains a list of the documents that matched the query.
I would essentially like to do something like this:

filter {
  elasticsearch {
    query => "{memberGuid: %{[memberGuid]}"
    index => "members-*"
    fields => { "_document" => "results" }
    result_size => 1000
  }
}

I’ve tried using wildcard matching for the source fields, to no avail.

Best Answer:

Tldr;

This is possible with the docinfo_fields that let you access the _<fields> of the query.

Solution

filter {
  elasticsearch {
    query => "{memberGuid: %{[memberGuid]}"
    index => "members-*"
    docinfo_fields => { "_source" => "results" }
    result_size => 1000
  }
}

If you have better answer, please add a comment about this, thank you!

Source: Stackoverflow.com

Resolved: Fetching the entire elasticsearch document into a logstash event

Resolved: linq2db throws exception when filtering by nested collection

Resolved: Table data is coming as empty in React

Resolved: In a Pinescript v5 Strategy why is my bool not working?