| by Arround The Web | No comments

Elasticsearch Remove Field

“When working with Elasticearch indices, you may encounter an instance where you need to remove a field from an existing document. Unfortunately, Elasticsearch does not provide a native request we can use to perform the said action.

We can, however, use the document update API and pass a script that allows us to remove a field based on its name.”

NOTE: This process requires you to have basic knowledge of Elasticsearch scripting and the document update API. Feel free to explore the docs or our tutorials on the topic to learn more.

Let’s dive in.

Check If Document Exists

Before removing a field from a specific document, it’s good to ensure that the target document exists within the index.

We can use the search API to fetch the target document.

For example, suppose we have the kibana_sample_logs_data index. We can search the index for a document that contains a specific IP.

NOTE: The above example is used for illustration purposes only. You can use various methods to verify if a specific document is available in the index.

curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H "kbn-xsrf: reporting" -H "Content-Type: application/json" -d'
{
  "size": 0,
  "query": {"match": {
    "ip": "171.24.97.162"
  }}
}'

Resulting output:

{
  "took": 3,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 17,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []   }

}

Next, a simple script can remove a target field from the document. Start by logging into your Kibana console and run the command:

curl -XPOST "http://localhost:9200/kibana_sample_data_logs/_update/5pA49IIBkTjaZ6TtsiB5" -H "kbn-xsrf: reporting" -H "Content-Type: application/json" -d'
{
  "script": "ctx._source.remove('\''ip'\'')"
}'

The above request uses a painless context script to update the document and remove the “ip” field with the specified ID.

Output:

{
 "_index": "kibana_sample_data_logs",
  "_id": "5pA49IIBkTjaZ6TtsiB5",
  "_version": 2,
  "result": "updated",
  "_shards": {
    "total": 2,
    "successful": 2,
    "failed": 0
  },
  "_seq_no": 14074,
  "_primary_term": 1
}

Once the document is updated, you can verify by running the query.:

curl -XGET "http://localhost:9200/kibana_sample_data_logs/_doc/5pA49IIBkTjaZ6TtsiB5" -H "kbn-xsrf: reporting"

The request above should return the data stored in the document with the specified ID.

We can verify the IP field is no longer in the document.

Conclusion

In this article, you learned how to use Elasticsearch scripting capabilities to remove a field from an existing document.

Thanks for reading!!

Share Button

no related pages

Source: linuxhint.com

Leave a Reply