search

leveryd-asm / asm

Scanner platform based on Kubernetes and Argo-Workflow 基于k8s和argo工作流的扫描器
https://leveryd-asm.github.io/asm-document
MIT License
106 stars 6 forks source link

elasticsearch painless script 会覆盖原文档 #40

Closed leveryd closed 1 year ago

leveryd commented 1 year ago

背景

output {
  elasticsearch {
    ...
    script => "
      if(ctx.op == 'create') {
        ctx._source=params.event;
        ctx._source.first_create_time = params.event.get('@timestamp');
      } else {
        String old = ctx._source.get('first_create_time');
        ctx._source = params.event;
        ctx._source.last_update_time = params.event.get('@timestamp');
        ctx._source.first_create_time = old;
      }
    "
  }
}

ctx._source = params.event; 会把原文档内容都覆盖掉,包括 @version 信息。port、subdomain等索引里生成的org、parsed-domain信息也会丢失。

这样在pipeline执行时,可能会影响性能,因为操作的记录数会变多。

leveryd commented 1 year ago

怎么修复?

ctx._source = params.event;

改成

for (entry in params.event.entrySet()) {
  ctx._source[entry.getKey()] = entry.getValue()
}