Add an array using Mutate's add_field

buch11 · September 25, 2019, 2:17am

Hi Guys,

I have a logstash pipeline where I am receiving a JSON file as HTTP input and forwarding it to output plugin.
I want to introduce below structure to input JSON :

"parentField": {
"field0": "value0",
"arrayName": [
{
"field1": "value1",
"field2": "value2"
}
]
}

To achieve that I am trying to use below filter ::
filter {
mutate {
add_field => { "[parentField][field0]" => "value0" }
add_field => { "[parentField][arrayName][0][field1]" => "value1" }
add_field => { "[parentField][arrayName][0][field2]" => "value2" }
}
}

But in this case [0] gets translated to a literal "0" and is being treated as a key instead of array index.
Meaning [parentField][arrayName][0][field1] gets translated to
parentfield => arrayname => "0" => {"field1" => "value1", "field2" => "value2"}

What I am trying to achieve is
parentfield => arrayname => [[0] "field1"=>"value1", "field2" => "value2"]

How do I add an array of fields using mutate's add_filter?

Badger · September 25, 2019, 1:23pm

You can add an array of strings using

mutate { add_field => { "foo" => [ "a",  "b" ] } }

I do not think you can add an array of hashes

buch11 · September 25, 2019, 11:54pm

If I can not use mutate, is there any other way of achieving this?

Badger · September 26, 2019, 3:46pm

You can do pretty much anything with a ruby filter.

buch11 · October 1, 2019, 1:06am

cool, thanks!

I just found out that I can write plugins in java as well - https://www.elastic.co/guide/en/logstash/current/contributing-java-plugin.html

system · October 29, 2019, 1:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.