您可以对Employees_Data

使用ElasticSearch输入

在您的筛选器中，使用TRANSACTION_DATA上的弹性搜索过滤

input {
  elasticsearch {
    hosts => "localost"
    index => "employees_data"
   
     query => '{ "query": { "match_all": { } } }'
     sort => "code:desc"

    scroll => "5m"
    docinfo => true
  }
}
filter {
    elasticsearch {
              hosts => "localhost"
              index => "transaction_data"
              query => "(code:"%{[code]}"
              fields => { 
                    "Month" => "Month",
                    "payment" => "payment" 
                   }
        }
}
output {
  elasticsearch { 
    hosts => ["localhost"]
    index => "join1"
   }
}

并使用ElasticSearch输出将新文档发送到第三个索引

您将拥有3个弹性搜索连接，搜索结果可能会有点慢。 但它起作用了。