https://discuss.elastic.co/t/how-to-create-a-parent-using-the-new-join-type-with-logstash/119523?u=bulu
First setup your mapping to create the join field.:
(Not sure how to do this straight from logstash. If someone else does please let me know.)

PUT logstash-index-name
{
  "mappings": {
    "doc": {
      "properties": {
        "join_field": { 
          "type": "join",
          "relations": {
            "customer": "actions"
          }
        }
      }
    }
  }
}
#You can add a parent via Logstash with:

mutate {
	add_field => { "join_field" => "customer" }			
}
And you can add a child like this:

mutate {
	add_field => {"[join_field][name]" => "actions"}
	add_field => {"[join_field][parent]" => "%{parent_id}"}
}
#You also need to add the routing id in the Logstash output Elastic Search plugin:

if [type] == "child_actions" {		
	elasticsearch {
		hosts => [ "localhost:9200" ]
		index => "logstash-index-name"
		routing => "%{parent_id}"
	}		
}
#All child documents will now have the "join_field" as a nested field.