1

我最近在 Elasticsearch 的摄取管道中添加了一个 GeoIP 处理器。这很好用,并为新摄取的文档添加了新字段。我想通过对索引执行 _update_by_query 将 GeoIP 字段添加到旧数据中,但是,它似乎不接受“处理器”作为参数。

我想做的是这样的:

POST my_index*/_update_by_query
{
 "refresh": true,
 "processors": [
   {
     "geoip" : {
        "field": "doc['client_ip']",
        "target_field" : "geo",
        "database_file" : "GeoLite2-City.mmdb",
        "properties":["continent_name", "country_iso_code", "country_name", "city_name", "timezone", "location"]
    }
   }
 ],
 "script": {
  "day_of_week": {
    "type": "long",
    "script": "emit(doc['@timestamp'].value.withZoneSameInstant(ZoneId.of(doc['geo.timezone'])).getDayOfWeek().getValue())"
  },
  "hour_of_day": {
    "type": "long",
    "script": "emit(doc['@timestamp'].value.withZoneSameInstant(ZoneId.of(doc['geo.timezone'])).getHour())"
  },
  "office_hours": {
    "script": "if (doc['day_of_week'].value< 6 && doc['day_of_week'].value > 0) {if (doc['hour_of_day'].value> 7 && doc['hour_of_day'].value<19) {return 1;} else {return -1;} } else {return -1;}"
  }
 }
}

我收到以下错误:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "parse_exception",
        "reason" : "Expected one of [source] or [id] fields, but found none"
      }
    ],
    "type" : "parse_exception",
    "reason" : "Expected one of [source] or [id] fields, but found none"
  },
  "status" : 400
}
4

1 回答 1

1

由于您已准备好摄取管道,因此您只需在对_update_by_query端点的调用中引用它,如下所示:

POST my_index*/_update_by_query?pipeline=my-pipeline
                                    ^
                                    |
                                 add this
于 2021-11-16T15:30:09.157 回答